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LETTERS TO THE EDITOR 


Contracting a Boot Virus From a Floppy Diskette 

I would like to commend Mark Lofgren on his article about computer 
viruses and virus hoaxes (“Psychological Viruses,” NetWare Connection, 
Oct. 1998, p. 34). 

I would also like to offer some additional information: In the section 
concerning boot sector viruses, the article mentioned that booting from 
an infected floppy diskette would cause the hard drive to become infected. 
I would add that the computer does not have to boot successfully to in- 
fect the hard drive. If a user attempts to boot a computer from an infected 
floppy diskette and receives the error that no boot device is available, the 
hard drive may still become infected—just as if the computer successfully 
boots from the floppy diskette. This infection usually happens when users 
forget that a floppy diskette is still in the floppy drive when they restart 
the computer. 

Thanks for the article, and keep up the good work. 

Jim Parry 


Shedding Some Light on Networking 

Thank you for such a basic but descriptive article regarding Novell Direc- 
tory Services (NDS) and Zero Effort Networks (Z.E.N.works) (“NDS and 
Z.E.N.works: Creating Transparent, Easily Managed Networks,” NetWare 
Connection, Oct. 1998, pp. 24-33). My CIO and director don’t have much 


networking experience, and this article shed some light on the topic for them. 


Just as the article states, ] dream of an easily managed network. | am 
getting ready to roll out Windows NT to our users and have purchased 
Z.E.N.works to manage applications, users, and workstations. Thanks to 
Novell and Z.E.N.works, I will soon be realizing my dream of an easily man- 
aged network. 

Again, thank you Novell, and thank you Sandy Stevens for such an in- 
formative, but not overly technical, article. 

Jason Skyberg 


BorderManager 3.0 Compatibility 

I enjoyed the article on BorderManager 3.0 (“BorderManager 3.0: 
Patrolling the Borders of Your Network,” NetWare Connection, Oct. 1998, 
pp. 6-21) and found it very informative. However, the article left me with 
one question: Which versions of NetWare is BorderManager 3.0 com- 
patible with? I searched the article and cannot find any mention of this 
information. 


Mark Achtemichuk 


Thank you for your interest in BorderManager 3.0. I can’t believe I neglected 
to include such an essential detail! BorderManager 3.0 will run on NetWare 4.11 


and NetWare 5. 
Linda Boyer Kennard, author 


Another Upgrade Solution for NetWare 3.12 

The article “Upgrading From NetWare 3.12 to NetWare 4.11” (NetWare 
Connection, Nov. 1998, pp. 35-36) was informative. However, | want to 
mention that there is another option available to companies that do not 
need to upgrade to NetWare 4.11 or NetWare 5. Novell’s NetWare 3.2 
Enhancement Pack is a quick and simple solution to upgrading your 
NetWare 3.12 network. 

Many companies are happy with NetWare 3.12 because it works so 
well. The NetWare 3.2 Enhancement Pack will improve system reliability, 
plus the NetWare 3.2 Enhancement Pack will make NetWare 3.12 year- 
2000 ready. 

Carol Pellicott Strouse @ 
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It's All Holes Barred 


FEATURE 


= 


Linda Boyer Kennard 


MI ovell International Cryptographic Infrastructure (NICI) is 
the sort of name that you don’t forget, even after seeing or 
hearing it only once. The full name of this NetWare 5 feature is 
too much of a mouthful to go unnoticed, and the acronym— 
NICI—is too catchy to forget. If you are like most network ad- 
ministrators, however, you know very little about this new 
NetWare 5 feature. 

As the name suggests, NICI is a modular infrastructure of 
network cryptographic services. (For definitions of NICI and 
NICL-related terms, see “Crypto Lingo” on p. 18.) NICI already 
supports a number of cryptographic algorithms—including Data 
Encryption Standard (DES); Triple DES; RC2; RC4; Rivest, 
Shamir, and Aldeman (RSA)—and has the potential to support 
countless more. And here’s perhaps the best news: NICI com- 
plies with the international import and export restrictions gov- 
erning the use of cryptography. You realize what that means, 
don’t you? With NICI, you can use the strongest cryptograph- 
ic algorithm legally allowed in the country in which you’re 
running NetWare 5. 

As laws restricting the use of cryptographic algorithms relax, 
NICI will allow you to easily upgrade the cryptography on your 
company’s network without worrying about complying with local 
cryptographic laws: Each Novell-approved upgrade to NICI will 
be legal. As laws relax and new algorithms emerge, Novell and 
other third-party developers will create new NIC] NetWare Load- 
able Modules (NLMs) that contain the new cryptographic algo- 
rithms. When you install the new NICI NLMs, all of the NICI- 
based applications on your company’s network will automatically 
have access to the newer and stronger algorithms on these NLMs. 

NICI also simplifies network management, particularly glo- 
bal network management. To comply with the wide range of 
international restrictions on cryptographic products today, you 
might have to run multiple versions of the same application 
that provides cryptographic services. That is, you might have to 
run a different version for every country in which your com- 
pany has a branch office. In contrast, you need run only one 
version of a NICI-based application for any of your branch of- 
fices—whether those offices are located in the United States, 
Germany, France, Argentina, or even Russia. 
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Although NICI may be good news for you, it’s even better 
news for developers. In fact, “if you were to ask, ‘Who will most 
likely be excited about NICI?” says Roger Schell, corporate se- 


” 


curity architect at Novell, “the answer would be ‘developers. 
Developers should be excited about NICI for several reasons: 


¢ Developers who want to create an application that provides 
cryptographic services for worldwide consumption can build 
and ship just one version of this application. 

Developers who build NICL-based applications will obtain 
export approval in less time and with less hassle because 
NICI has already met the U.S. government regulations on 
the exportation of cryptographic products. 

Developers who write NICI-based applications can save mon- 
ey. Typically developers who write applications that provide 
cryptographic services have to purchase rights to use a crypto- 
graphic library from a company that provides such libraries, 
such as RSA Data Security Inc. In contrast, developers who 
write NICI-based applications pay no royalties for the use of 
cryptographic code. And that pragmatic point, Schell claims, 
is precisely “why developers will care about NICI.” 


MODULAR CRYPTO 

Before you can determine how you or anyone else will benefit 
from NICI, you need to understand how it works. (See Figure 
1 on p. 9.) And to understand how NICI works, you need at 
least a brief introduction to the dynamically loadable NLMs 
that comprise NICI: 


© Cryptography Library or XLIB (pronounced X-lib) modules 

¢ Cryptography Manager or XMGR modules 

© Cryptography Engine or XENG (typically called X-engine) 
modules 

e Cryptography Engine Support or XSUP (pronounced X-sap) 
module 


¢ Cryptography Interface Manager or 
XIM (pronounced X-im) module 


Technically, any one server running 
NetWare 5 could have more than one of 
each of the following NICI NLMs: XLIB, 
XMGR, and XENG. But there is only 
one XSUP and only one XIM for every 
NetWare 5 server. 

The discussion that follows is a general 
introduction to NICI architecture and, as 
such, is far from exhaustive. However, 
this discussion should provide you with 
enough details about the purpose of each 
NICI module for you to gain at least a ba- 
sic understanding of NICI architecture. 


XLIB—THE MIDDLEMAN BETWEEN 
APPLICATIONS AND NICI 

An XLIB is a collection of crypto- 
graphic services, such as user data encryp- 
tion and decryption services. Applica- 
tions request XLIB services via an XLIB 
Application Program Interface (API). To 
deliver the services that applications re- 
quest, the XLIB communicates with an 
XMGR, which in turn communicates 


Applications 


CCS API 


Upper MABLE 
Lower MABLE 


XLIBs 


Subset of 
Operating 
System Services 


XIM 
(Part of 


NetWare 5 
NLM Loader) 


Static Link 
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XIM-Ensured Link 
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Figure 1. The architecture of NICI 


with an XENG. In other words, an XLIB 
is the middleman between applications 
and NICI: XLIBs accept requests for cryp- 
tographic services and interact with NICI 
to provide these services to applications. 
Applications have no contact with NICI 
except through an XLIB. 


NetWare 5 currently ships with only 
one XLIB, the Controlled Cryptography 
Services (CCS) XLIB. Most of the cryp- 
tographic services an application might 
need are available in the CCS XLIB 
via the CCS API. Novell has included 
the CCS API in the Novell Developer 
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FEATURE Novell International Cryptographic Infrastructure 


A Key For Every Occasion 


Novell International Cryptographic Infrastructure (NICI) has a 
key for every occasion. NICI relies on separate categories of keys 
that are used with both symmetric and asymmetric algorithms, 
which are commonly called public-key algorithms. (For more in- 
formation about symmetric and public-key algorithms, see the 
“The Level of Security Lies in the Key” section on p. 12 in the 
main article.) 

The keys in each category serve unique purposes and have 
different strengths: 


* Data confidentiality and integrity keys 
* Key management keys 

¢ Key archival keys 

¢ Public-key certification keys 

¢ NICI operational keys 


DATA CONFIDENTIALITY AND INTEGRITY KEYS 

NICI uses data confidentiality and integrity keys to encrypt and 
decrypt user data and to sign and verify encrypted data for applica- 
tions that request such services from a NICI XLIB. (For more infor- 
mation about the XMGR and XLIB, see the “Modular Crypto” sec- 
tion on p. 8 in the main article.) A NICI XMGR module called the 
Key Generation XMGR generates data confidentiality and integrity 
keys, which can be either symmetric keys or public-private key pairs. 

This XMGR module generates the data confidentiality and in- 
tegrity keys when the XLIB forwards an application's request for 
encryption/decryption and signing/verifying services. The XLIB also 
indicates the strength of the key the application is requesting. How- 
ever, the strength of the key the application actually gets might or 
might not match the requested strength. 

The strength of data confidentiality and integrity keys depends 
upon NICI policies, which accompany all XENGs. The specific de- 
tails contained in these policies vary, depending on several factors, 
including which XENG your company is using. For example, data 
confidentiality and integrity policies embedded in the Domestic 
XENG enable NICI to use up to 128-bit symmetric keys. The 
Worldwide XENG, in contrast, uses only up to 40-bit symmetric 
data confidentiality keys. 


KEY MANAGEMENT KEYS 

NICI uses key management keys to encrypt other keys when 
those keys are passed to applications for storage outside of NICI or 
distributed between servers. The Key Generation XMGR generates 
key management keys, which can be either symmetric keys or 
public-private key pairs. The XMGR generates key management 
keys when NICI is installed. 


Kit (NDK) since October 1998. (For 
more information about the CCS API, 
see http://developer-novell.com/ndk/ 
cryptlib.htm. If you are a developer, 
you might want to click the Documen- 
tation link, which allows you to down- 
load a .pdf document titled “Controlled 
Cryptography Services Software Devel- 
opment Specification.”) 


tographic services: 
e Encryption 


e Decryption 
© Certificate creation 
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The CCS API supports the develop- 
ment of server-based cryptographic ap- 
plications for NetWare. This API pro- 
vides an interface for the following cryp- 


The strength of the key management keys that the XMGR gen- 
erates depends on which XENG your company is using. If your 
company is using the Domestic XENG, NICI uses either Triple Data 
Encryption Standard (DES) with 192-bit keys or Rivest, Shamir, and 
Aldeman (RSA) with 1,024-bit keys. If your company is using the 
Worldwide XENG, NICI uses either DES with 64-bit keys or RSA 
with 512-bit keys. 


KEY ARCHIVAL KEYS 

NICI uses key archival keys to encrypt keys that the Key Genera- 
tion XMGR generates before the XMGR archives those generated 
keys. (The Key Generation XMGR archives the keys it generates in 
a key archive file, which is located in the SYS:SYSTEM directory.) 

Novell generates key archival keys, which are public-private key 
pairs, on an XTS-300 Trusted Computing System from Wang Gov- 
ernment Services Inc. The National Computer Security Center 
(NCSC) has rated this system as a B3 system, which is only one 
level away from the most secure system available today (an Al 
system). Public key archival keys are installed when NIC] is in- 
stalled, and the Wang system retains the ability to recreate the 
associated private keys. 

The key archival keys used with the Domestic XENG are 
1,024-bit asymmetric keys. The key archival keys used with the 
Worldwide XENG are 512-bit asymmetric keys. 


PUBLIC-KEY CERTIFICATION KEYS 

Public-key certification key pairs are installed on each NICI ser- 
ver and act as the certificate authority (CA) for that server. These 
certification keys digitally sign and verify public key certificates for 
all key pairs that the Key Generation XMGR generates on that ser- 
ver. Like the key archival keys, public-key certification keys are gen- 
erated on the Wang system at Novell. 

NICI public-key certification keys are 1,024-bit RSA key: pairs 
(for both the Domestic and the Worldwide XENGs). 


NICI OPERATIONAL KEYS 

NICI uses the operational keys to enforce its control of 
cryptography. That is, operational keys digitally sign and verify 
the NICI modules, NICI policies, and public key certificates for 
NICI’s key archival keys and public-key certification keys. NICI 
operational keys are public-private key pairs that are generated 
on the Wang system. 

NICI operational public keys are installed with NICI (as part of 
the XIM) and embedded in the NICI modules. When installing and 
loading NICI modules, the XIM uses the NICI operational public 
key to verify the signature on each of the modules the XIM loads. 

NICI operational keys are 2,048-bit RSA key pairs (for both the 
Domestic and Worldwide XENGs). @ 


° Certificate verification 

e Signature verification 

© Message digest creation 

e¢ Random number generation 


The CCS API also includes options 
for various algorithms and algorithm key 
types. Because the U.S. Department of 
Commerce has granted Novell approval 
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to export NICI as a mass-market prod- 
uct, NICI-based applications are subject 
to a comparatively short, one-time ex- 
port review process. U.S. developers 
need only demonstrate that in build- 
ing their NICI-based application they 
used the CCS API properly and they 
included no additional cryptographic 
functionality. (Naturally, developers 
outside the U.S. are subject to the ex- 
port review processes conducted in 
their own country.) 

Although NetWare 5 includes only 
one XLIB, Novell recognizes that the 
need for application-specific XLIBs may 
arise. As a result, Novell and other third- 
party developers can develop application- 
specific XLIBs. However, Novell intends 
to expand the CCS XLIB and the CCS 
API to provide additional services rath- 
er than writing numerous application- 
specific XLIBs. 

By providing only the CCS XLIB, 
Novell offers developers a more flexible 
development environment. If Novell 
wrote application-specific XLIBs, Novell 
alone could provide the particular ser- 
vices contained in these XLIBs. For ex- 
ample, if Novell built an application- 
specific XLIB for Secure Sockets Layer 
(SSL) support, Novell alone could pro- 
vide SSL, explains Schell. 

“In other words,” Schell sums up, 
“we could have said, ‘We’ve got SSL, 
and no one else can build SSL on top 
of NICI.’ But that’s not what we think 
makes sense.” What makes sense to 
Novell is providing one XLIB and one 
API that enables developers to access 
any NICI service. That way, developers 
can write their own version of SSL and 
other services. 


XENG—THE NIC] WORKHORSE 

In the hierarchical order of the NICI 
modules, XMGRs are next because XLIBs 
access only XMGRs, which in turn access 
XENGs on that system. (See Figure 1 on 
p. 9.) However, understanding XENGs 
will help you better understand what 
XMGERs do. 

An XENG is a NICI workhorse: An 
XENG processes the actual algorithms 
used to provide cryptographic services, 
such as encryption, decryption, message 
digest creation, and digital signature veri- 
fication. NICI provides several XENGs, 
which include a variety of cryptographic 
algorithms such as DES, Message Digest 
5 (MD5), and RSA. 
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How Do You Take Your Crypto? 

NICI currently provides three XENGs 
to accommodate the laws of the various 
regions in which Novell ships NetWare 5. 
Novell cannot ship the same XENG all 
over the world because certain countries, 
notably France and Russia, restrict the 
importation or use of U.S. cryptography. 

To resolve the dilemma caused by 
these restrictions, Novell includes differ- 
ent levels of cryptography in NetWare 5. 
The level of cryptography you get with 
NetWare 5 depends on the country in 
which your company operates. Novell 
offers three levels of cryptography pro- 
vided by three XENGs: 


© The Null XENG provides no cryptog- 
raphy for countries that restrict the im- 
portation or use of U.S. cryptography 
(including France and Russia). 

¢ The Worldwide XENG includes the 
Null XENG and also provides 40-bit 
encryption for countries that allow the 
importation of 40-bit encryption. For 
example, Novell ships the Worldwide 
XENG to most European countries. 

¢ The Domestic XENG includes the 
Null XENG and provides both 40-bit 
and 128-bit encryption for the United 
States and Canada. 


The Null XENG—What’s the Point? 
After reading the descriptions of the 
XENGs NICI provides, you might justi- 
fiably ask: “What’s the point of the Null 
XENG? After all, it provides no encryp- 
tion.” The Null XENG enables Novell 
to ship only one version of NetWare 5— 
without having to rewrite code in the 
applications that depend on NICI. 

Without the Null XENG, Novell 
would have to release a version of 
NetWare 5 that did not include NICI 
for countries to which Novell is unable 
to ship NICI. If Novell shipped versions 
of NetWare 5 that did not include NICI, 
Novell and third-party developers would 
no longer be able to build one applica- 
tion for worldwide use. Instead, Novell 
and third-party developers would have 
to rewrite application code to tell the 
application what to do when NICI is 
not available. 

The Null XENG ensures that applica- 
tions will not break or abend the server: 
Applications just use whichever XENG 
is available—even if that means using an 
XENG that provides no cryptography. 
Hence, the Null XENG enables you to run 


the same version of a NICI-based applica- 
tion in all branch offices, regardless of 
where those offices are located. 


The Level of Security Lies in the Key 

As mentioned earlier, the Worldwide 
and Domestic XENGs provide 40-bit and 
128-bit encryption, respectively. These 
bit sizes refer to the size of the key that 
is legally allowed for use with symmetric 
algorithms for encrypting and decrypting 
user data. 

In the context of cryptography, a key 
is one value in a large range of possible 
values. The strength of a key depends on 
how large the range of possible values is. 
The range of possible values and, there- 
fore, the strength of a key is defined by 
the key’s bit-size. 

For example, with a 56-bit key, only 
one value among 2 possible values is the 
correct key. Likewise, for a 128-bit key, 
only one value among 2"* possible values 
is the correct key. As you have probably 
deduced, the larger the possible number 
of values, the stronger the key. (For more 
information about keys, see the sidebar 
“The Key to Security,” NetWare Connection, 
Feb. 1998, p. 12. You can download this 
sidebar from http://Awww.nwconnection. 
com/feb.98/vpn28/thekey28-html.) 

In cryptography, key-based crypto- 
graphic algorithms use keys for user data 
encryption and decryption, message di- 
gest creation, data signature verification, 
and other cryptographic functions. Two 
types of key-based algorithms are avail- 
able: symmetric algorithms and asym- 
metric algorithms. 

In symmetric algorithms, the encryp- 
tion key can be calculated from the de- 
cryption key and vice versa. The World- 
wide XENG and the Domestic XENG 
contain a number of symmetric algo- 
rithms, including DES, RC2, and RC4. 
In addition, the Domestic XENG in- 
cludes Triple DES. (Triple DES cannot 
be included on the Worldwide XENG 
due to U.S. export restrictions.) 

In asymmetric algorithms, the key 
used for encryption is different from the 
key used for decryption, and the decryp- 
tion key cannot practically be calculated 
from the encryption key. These algorithms 
are often called public-key algorithms be- 
cause the encryption key can be made pub- 
lic. The decryption key, however, must 
remain private. Today the Worldwide 
XENG and the Domestic XENG contain 
only the RSA public-key algorithm. 


Countries sometimes establish certain 
restrictions for key sizes that are used to 
encrypt and decrypt user data and other 
restrictions for key sizes that are used to 
authenticate users or to encrypt other 
keys. For example, the United States 
allows the exportation of only a 40-bit 
symmetric key for encrypting user data 
but a 64-bit symmetric key (or 512-bit 
asymmetric key) to encrypt other keys. 

When Novell says that the World- 
wide XENG provides 40-bit encryption 
and the Domestic XENG provides 128- 
bit encryption, Novell means that the 
Worldwide XENG enables applications 
to use a symmetric key of 40 bits to en- 
crypt and decrypt user data. Likewise, 
the Domestic XENG enables applica- 
tions to use a symmetric key of 128 bits 
to encrypt and decrypt user data. The 
keys NICI uses for other cryptographic 
purposes (such as keys used to encrypt 
other keys before transmitting them) 
are stronger. (For more information 
about the keys NICI uses internally for 
key management, see “A Key for Every 
Occasion” on p. 10.) 


Upgrading to Stronger Cryptography 

The USS. laws in effect at the time 
NICI was developed dictated the use of 
40-bit encryption for export and 128-bit 
encryption for the United States and Can- 
ada. Because NICI has a modular architec- 
ture, however, you can easily add a NICI 
XENG when you need to upgrade to a 
higher strength cryptography. As Novell 
and other third-party developers create 
additional XENGs, you will be able to 
purchase and install these XENGs as 
your company’s needs and government 
regulations change. 

When you install new XENGs, all of 
the applications on your company’s net- 
work that use NICI will automatically 
have access to the new cryptography avail- 
able on the XENG(s) you install. (For 
more information about the applications 
included with NetWare 5 that use NICI 
services, see “NetWare 5’s NICI Consum- 
ers” on pp. 14-15.) 

In fact, if your company received the 
NetWare 5 CD-ROM that included only 
Null and 40-bit encryption, you might 
soon be able to upgrade to 56-bit DES 
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encryption. Novell began making plans 
for such an upgrade weeks after the Sept. 
16 statement from the U.S. Office of the 
Press Secretary. (You can download this 
press statement from http://www.jya.com/ 
wh091698.htm.) 

This statement announced that 
the Clinton Administration had relaxed 
the policies regarding the use and ex- 
portation of cryptography. The new 
guidelines “allow encryption hardware 
and software products with encryption 
strength up to 56-bit DES or equivalent 
to be exported without a license” to all 
users (except those in the seven coun- 
tries to which the United States pro- 
hibits the exportation of any product, 
namely Iran, Iraq, Libya, Syria, Sudan, 
North Korea, and Cuba). 

Novell reacted immediately to this 
news, seeking verification from the U.S. 
government that it could provide 56-bit 
DES encryption or the equivalent—which 
is 64,000 times more powerful than 40-bit 
encryption—to its customers in countries 
where these export guidelines apply. By 
Nov., the U.S. government had given 
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NetWare 5’s NICI Consumers 


In general, applications use cryptography for security pur- 
poses. But for what, specifically, do applications use cryptog- 
raphy? For one thing, applications use cryptography for au- 
thentication purposes, which means the applications use crypto- 
graphic functions to prove the identify of persons or to prove 
the legitimacy of various objects, such as files or messages. 

For example, Novell Directory Services (NDS) authenticates 
users to the network by sharing a secret, in the form of a pass- 
word, with a user. To ensure that this user alone knows the se- 
cret (and no one else discovers and falsely uses it), NDS en- 
crypts the password before transmitting it. Similarly, Novell In- 
ternational Cryptographic Infrastructure (NICI) ensures that no 
one discovers the keys it uses to encrypt and decrypt security 
data (such as passwords and keys): NICI encrypts the keys it 
generates before transmitting these keys to other servers or to 
storage areas outside of NICI parameters. 

Applications also use cryptography to encrypt and decrypt 
user data and to sign and verify both encrypted security and 
user data. Signing encrypted data ensures that data remains 
unchanged. (See digital signature in “Crypto Lingo” on p. 18.) 

The following NetWare 5 protocols, services, and applica- 
tions use the cryptographic services NICI provides for unique, 
security-related purposes: 


* Public-Key Infrastructure Services (PKIS) 

¢ Secure Authentication Services (SAS) 

¢ NetWare Core Protocol (NCP) packet signatures 
¢ Service Location Protocol (SLP) 

* Secret Store for NDS 


PUBLIC KEY INFRASTRUCTURE SERVICES (PKIS) 

NICI provides cryptographic services for the new PKIS, 
which is a NetWare Loadable Module (NLM) and a snap-in 
module to the NetWare Administrator (NWADMIN) utility. PKIS 
enables your company to establish and manage its own certi- 
ficate authority (CA)—rather than use a third-party CA. PKIS 
also works with most commercial CAs, such as VeriSign. 

By establishing a CA in your company’s NDS tree, PKIS en- 
ables you to request, generate, manage, and store your own 
public-key certificates and their associated key pairs for use 
within your company. For example, you can use these certifi- 
cates to sign and verify confidential files, so that recipients 
can verify that the source of the file is legitimate and that its 
contents are unchanged. 

PKIS uses the cryptography services provided by NICI. That 
is, using the Controlled Cryptography Services (CCS) Applica- 
tion Program Interface (API), PKIS calls the CCS XLIB to com- 
plete functions such as generating certificates. 


SECURE AUTHENTICATION SERVICES (SAS) 

SAS is another NICI consumer. SAS is an infrastructure 
that supports both existing and emerging authentication mech- 
anisms, such as biometric systems and token-authentication 
systems. In NetWare 5, SAS provides support for Secure Sock- 
ets Layer (SSL) version 3. (SSL is a protocol designed by Net- 
scape Communications. SSL enables encrypted, authenticated 
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communications between web browsers and servers|across 
the Internet.) 

Server applications use SAS to establish SSL connections. For 
example, Novell’s LDAP Services for NDS uses SAS to establish 
SSL-secured Lightweight Directory Access Protocol (LDAP) con- 
nections to NDS. (Incidentally, PKIS also plays a part in support- 
ing SSL. Through PKIS, you generate and manage the public-key 
certificates and associated private keys that SSL uses.) 

SAS is built entirely on NICI. For example, when establish- 
ing an SSL connection, SAS uses the CCS API to call the CCS 
XLIB for encryption services. Because SAS is built on NICI, the 
strength of the encryption algorithms and keys being used will 
always be the strongest allowed in the country where NetWare 
5 is being run. 


NETWARE CORE PROTOCOL (NCP) PACKET SIGNATURES 

The NCP packet signature is another NICI consumer. A fea- 
ture of NetWare 3.1 and above, NCP is a series of procedures 
that NetWare servers follow to accept and respond to client re- 
quests, such as requests to create or destroy a service connec- 
tion or to manipulate a file or directory. 

The NCP packet signature prevents forgery of NCPs by requir- 
ing the server and the client to attach a digital signature to each 
NCP packet. If an NCP packet contains an incorrect signature, 
NetWare discards the packet without breaking the client's con- 
nection to the server. The NCP packet signature offers one line 
of defense against unauthorized users accessing the network. 

Because NetWare 5 can use IP Novell had to rebuild the NCP 
packet signature for IP To rebuild this security feature, Novell 
linked NCP to the CCS API, which calls the CCS XLIB to ask 
NICI to generate the packet signature for each NCP packet. 

The NICI-based NCP packet signature is for IP environments. 
The existing cryptographic code for the IPX-based NCP packet 
signature remains unchanged and, therefore, does not use NICI. 


SERVICE LOCATION PROTOCOL (SLP) 

SLP is also a NICI consumer. Clients and servers in a NetWare 
5 IP environment use SLP to discover network services. SLP main- 
tains a registry of available services in NDS and registers a par- 
ticular service's availability only once when that service first be- 
comes available on the network. SLP uses two agents to discover 
and add available network services to the registry in NDS: 


¢ Service agents 
¢ Directory agents 


Service agents check the network for available network ser- 
vices and create SLP messages to notify directory agents about 
which services are available. Directory agents add the available 
services to the registry in NDS. (For more information about SLP 
see “Service Location Protocol: Discovering Services in a Pure IP 
Environment,” NetWare Connection, July 1998, pp.|32-37. You 
can download this article from http://www. nwconnection. com/ 
jul.98/slp78.) 

Service agents generate digital signatures and append these 
signatures to SLP messages. Directory agents verify the digital 
signatures to ensure that the source of the message is legiti- 
mate and the message is unchanged. Using the CCS API, SLP 


calls the CCS XLIB to request NICI services for signing and 
verifying SLP messages. 


SECRET STORE FOR NDS 

Novell plans to release Client NICI soon. What will the Client 
NICI provide that the server version of NICI does not? For one 
thing, the Client NICI will provide a set of cryptographic APIs 
that run on the client. As you would expect, the current server 
version of NICI provides APIs only for applications running on 
the server. If an application that is running on a client requires 
cryptographic services, that application cannot get these services 
from NICl—that is, until Client NICI is available. 

Client NICI will also be highly cooperative in client-server 
applications that require cryptographic services. Novell expects 
that one of the first uses of Client NICI as a cooperative client 
will stem from Secret Store for NDS. (Secret Store for NDS will 
be available soon.) 

Secret Store for NDS will enable developers to write applica- 
tions that use the authenticated NDS connection to provide 
proof of identity to the applications. An application will then be 
able to check NDS for the secrets (for example, passwords, 
tokens, or private keys) users would otherwise have to enter to 
log in to that application—after logging in to the network. In 
other words, Secret Store for NDS will enable a single sign-on. 


Secret Store for NDS will extend the NDS schema to store 
users’ secrets securely as properties of User objects. Through 
Client NICI, Secret Store for NDS will also ensure that these se- 
crets are transmitted securely between server and client. When 
a user attempts to open an application that requires the entry 
of a secret, the application will query Secret Store for NDS via 
an NDS-authentication connection for the user’s secret. The 
application will then authenticate the user—without requiring 
the user to enter another secret. 

For example, suppose you attempted to access GroupWise, 
which would ordinarily prompt you for your GroupWise pass- 
word. If GroupWise were written to use the Secret Store for NDS 
API, GroupWise would not need to prompt you for your pass- 
word. Instead, GroupWise would call the Secret Store for NDS 
API on the client to request your GroupWise password. The 
Secret Store for NDS API would access the Secret Store in your 
NDS User object and return your secret GroupWise password. 

Instead of reading the password that you would otherwise 
enter on the keyboard, GroupWise would get your password 
from NDS and then proceed as usual. Through Secret Store 
for NDS, Novell will provide single sign-on capabilities for 
Entrust/PKI applications soon. In the future, Novell also plans 
to provide single sign-on capabilities for other applications 
such as GroupWise. @ 
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Novell approval, and Novell began fine- 
tuning an upgrade. 


XMGR—THE NICI POLICE 

In addition to receiving service re- 
quests from XLIBs, XMGRs enforce NICI 
policies, which dictate the size and use 
of the keys that can be used with the cryp- 
tographic algorithms in XENGs. One 
XMGR, the Key Generation XMGR, ac- 
tually generates some of the keys that 
NICI uses. (For more information about 
the keys NICI uses, see “A Key for Every 
Occasion” on p. 10.) 

Novell creates all NICI policies, which 
are based on the U.S. government re- 
strictions governing the size of the key 
that can be used with a particular algo- 
rithm and for a particular purpose. 

NICI policies are inextricably bound 
to XENGs. This interdependency and 
the fact that Novell alone writes the 
policies is one of the reasons the U.S. 
government granted Novell export ap- 
proval for NICI as a mass-market prod- 
uct. Novell will not ship an XENG 
without a NICI policy, which controls 
exactly how the cryptographic algor- 
ithms in that XENG can be used. If an 
XENG did not have an accompanying 
NICI policy created and signed by No- 
vell, you could not load the XENG. 

XMGBRs also select the appropriate 
algorithm to complete an XLIB request. 
Not all algorithms are well-suited for all 
cryptographic functions. For example, 
although Digital Signal Algorithm (DSA) 
can implement sign and verify functions 
(functions used to digitally sign an object 
and to verify digital signatures), DSA 
cannot implement encrypt or decrypt 
functions on user data. Similarly, al- 
though DES is a good choice for data 
encryption, DES might not be the best 
choice for digitally signing an object. 

For each requested cryptographic 
function, an XMGR has a set of al- 
gorithms from which to choose. An 
XMGER selects one of these algorithms 
unless an application specifies a par- 
ticular algorithm. 

For example, suppose a company in 
the United Kingdom were running NICI 
and that an application on the company’s 
server requested to encrypt a user data 
file. The XLIB would send this request to 
the XMGR, which would immediately 
check the policy associated with the ser- 
ver’s XENG—in this case, the World- 
wide XENG. This policy would specify 
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that the Worldwide XENG in use on this 
server could use a 40-bit symmetric key 
to encrypt the data. The XMGR would 
then probably select the DES symmetric 
algorithm (unless the application explic- 
itly requested another algorithm) and 
employ a 40-bit key to encrypt the user 
data file. 


XSUP and Other Operating 
System Services 

In summary, XLIBs accept requests for 
services from applications and forward 
these requests to XMGRs. Only XMGRs 
can communicate with XENGs, and 
XMGRs administer NICI policies to en- 
sure that the algorithms the XENG con- 
tains are used appropriately at all times. If 
XLIBs can communicate with XMGRs 
and XMGRs can communicate with 
XENGs, which NICI module can the 
XENG communicate with? Only one: the 
XSUP module. XENGs do not have access 
to the NetWare operating system. Instead, 
XENGs can access only the XSUP, which 
supplies a restricted subset of operating sys- 
tem services, such as memory and thread 
management services. 

Providing a restricted subset of oper- 
ating system services to the XENG en- 
sures that the particular XENG remains 
untouchable (except by the XMGR) and, 
therefore, more secure. Because Novell 
provides these operating system services 
in a separate module, government au- 
thorities can inspect these services in 
isolation from the rest of the NetWare 
operating system. 

Some of the NIC] modules—namely 
XLIB, XMGR, and XSUP—are statically 
linked to another subset of operating sys- 
tem services. Although these operating 
system services are not technically part 
of the NICI architecture, they do serve 
a NICI-related purpose. 

Why is it necessary to have this 
second subset of operating system ser- 
vices? Actually, if Novell planned to 
offer NICI only on the NetWare plat- 
form, this subset of operating system 
services would not be necessary. But 
with an eye toward the future, Novell 
made it possible to port NICI to other 
platforms without having to rewrite any 
source code. 

“When we move NICI to a different 
operating system,” says Schell, “we won’t 
have to change anything except that ab- 
straction of operating services.” Whether 
NICI runs on NetWare 5, Windows NT, 


or UNIX, the NICI modules will have 
the operating services they need. 


XIM CHECKS ID BEFORE ADMITTING 
The XIM is part of the NetWare 5 
NLM loader and is responsible for load- 

ing legitimate NICI modules. Before the 
XIM installs NICI modules and every 
time it loads NICI modules, the XIM 
checks the digital signature appended to 
the XLIB, XMGR, XENG, and XSUP 
modules, ensuring that these modules 
are legitimate and unchanged. 


NICI’s Certificate Authority Hierarchy 

How does checking the digital signa- 
tures of NICI modules ensure that they 
are legitimate and unchanged? To answer 
that question, you first need a better 
understanding of digital signatures and 
their connection to digital certificates. 

Digital certificates are chunks of in- 
formation that a Certificate Authority 
(CA) binds together using a digital signa- 
ture. Each NICI module is accompanied 
by a digital certificate that has been gen- 
erated by a Novell-based CA hierarchy. 
The certificates NICI uses include infor- 
mation such as the name of the party that 
created the certificate, which should be 
Novell or a Novell-authorized agent, and 
the certificate quality, which indicates the 
security level of the system that generated 
the certificate. 

A program called the NICI Module 
Signer generates and signs NICI certifi- 
cates. The NICI Module Signer runs on 
an XTS-300 Trusted Computing System 
from Wang Government Services Inc. 
This system is stored in a highly restrict- 
ed area at Novell and maintained by No- 
vell Operations. The National Computer 
Security Center (NCSC) has rated this 
system as providing a B3 security level. 

The NCSC is a U.S. government or- 
ganization that evaluates computer sys- 
tems to determine their level of trust. To 
conduct these evaluations, the NCSC 
uses an international standard called the 
Trusted Computer System Evaluation 
Criteria (TC-SEC, otherwise known as 
the Orange Book). 

The TC-SEC are divided into four 
divisions: D, C, B, and A. The divisions 
are hierarchical, with the highest, Divi- 
sion A, reserved for systems that provide 
the most comprehensive security. 

Divisions C through A include sub- 
divisions, which are called|classes: Cl, 


C2, Bl, B2, B3, and Al. These six 


classes are also hierarchical: The higher 
the number, the greater the level of 
protection provided. In other words, B3 
is the highest level of trust a B-division 
system can provide and second only in 
level of trust to an Al system, which 
provides the highest level of trust avail- 
able in any system. (For more informa- 
tion about the NCSC and its security 
ratings, see “NetWare 4: The Climb to 
C2,” NetWare Connection, Nov./Dec. 
1995, pp. 6-14. You can download this 
article from http://www.nwconnection. 
com/nov-dec.95/nw4clin5.) 

Novell’s high-assurance Wang system 
houses the public and private key pairs of 
a CA hierarchy that is one of the things 
that makes NICI unique. The proposed 
root of this hierarchy is a commercial CA 
that will provide certification services and 
associated liability protection. Novell is 
currently involved in discussions with a 
commercial CA that may take over the 
root of this CA hierarchy. For now, how- 
ever, Novell itself acts as the root CA. 

Underneath this proposed commer- 
cial root are two subhierarchies: 


e The Key Escrow CA 
© The Novell CA 


The Key Escrow CA includes an RSA 
key pair that the Novell Key Generator 
(another program that runs on the Wang 
system) generates from random data. All 
NICI key archival keys, which are used to 
encrypt and sign any NICI-generated keys 
that need to be archived, stem from this 
root Key Escrow RSA key pair. 

The Novell CA includes the root pub- 
lic and private key pair from which other 
NICI key pairs are generated. This root 
key pair isan RSA key pair (with each 
key being 2,048 bits) that the Novell Key 
Generator generates from random data. 
The private key from this Novell CA 
RSA key pair remains on the Wang sys- 
tem. The public key and its public-key 
certificate are embedded in the NICI 
XIM. The XIM uses the Novell CA 
public key and associated certificate to 
verify the digital signatures on NICI 
modules before loading these modules. 


Signed, Sealed, Delivered 

A digital signature is appended to 
each NICI certificate to identify and au- 
thenticate the sender (which should be 
Novell) of that certificate (which is one 
in a hierarchy of certificates). To digitally 


sign the NICI certificate, the NICI Mod- 
ule Signer uses a one-way hash function to 
generate a string of bits called a hash-code 
from the certificate. The NICI Module 
Signer then encrypts the hash-code with 
the Novell CA private key, which is stored 
on the Wang system. 

When an XIM receives a NICI mod- 
ule, the XIM uses the Novell CA’s public 
key (which is embedded in the XIM 
code) to decrypt the certificate and the 
hash. The XIM then recomputes the 
hash-code from the certificate, again 
using the Novell CA's public key. 

The hash-code the XIM computes will 
be identical to the hash-code accompany- 
ing the NICI certificate only if the certi- 
ficate (and, therefore, the NICI module) 
has not been modified in transit. If the 
two hash-codes are equal, the XIM knows 
the NICI module has not been corrupted 
and it was in fact signed by Novell. 


CRYPTO-WITH-A-HOLE? 

Given the modular design of NICI 
and its dynamically loadable modules, 
how does Novell ensure that you or 


somebody else doesn’t subvert the legal 
cryptographic services NICI provides by 
substituting unlicensed, illegal crypto- 
graphic services? This problem, called 
crypto-with-a-hole, is a potential problem 
for any product that provides crypto- 
graphic services and a problem that the 
U.S. government diligently searches for 
during an export review process. 

According to Schell, urban legend 
holds that the term crypto-with-a-hole 
arose from an incident involving cellular 
phones. According to this legend, a cell- 
ular phone company wanted to export 
cellular phones that had encryption 
chips, but the U.S. government said 
“No.” Purportedly, an engineer skirted 
the U.S. government’s explicit restric- 
tion by including a socket on the cellu- 
lar phone board so someone else could 
insert the encryption chip of their choice. 
“Clearly,” Schell adds with a chuckle, 
“this subverted the intent of what the 
government was trying to do.” 

Whether or not this legend is true, 
it could have happened and could hap- 
pen still were it not for current U.S. 
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Grypto Lingo 


Authentication. In the context of digital security, authentication 
refers to the act of ascertaining the origin of a message to verify 
that the message actually comes from who it claims to come 
from. Authentication ensures that an intruder cannot masquer- 
ade as someone else. Digital certificates provide one way of 
ensuring the authenticity of a message. (See also confidential, 
integrity, and nonrepudiation.) 

Certificate Authority (CA). A trusted party (typically a company) 
that issues digital certificates to other parties (organizations or 
individuals) to allow those parties to prove their identity. A CA 
might be an external company, such as VeriSign, or an internal 
organization, such as a corporate IS department. 

Confidential. In the context of digital security, confidential de- 
scribes a message that is undecipherable to all except those for 
whom the message is intended. Keeping messages confidential 
is the primary purpose of cryptography. (See also integrity, au- 
thentication, and nonrepudiation.) 

Cryptography. The art and science of keeping messages secure. 
Crypto-With-a-Hole. Refers to a potential problem in cryptograph- 
ic products. The cryptography that is legally allowed within the 

country where the product is being used may have a “hole.” 
Users can then fill the “hole” with whatever type and strength of 
cryptography they choose. NICI avoids the crypto-with-a-hole 
problem in several ways, including using MABLE technology and 
checking the digital certificate of each digitally signed NICI mod- 
ule before loading that module. (See also digital signature and 
Module Authentication and Binding Library Extensions.) 

Digital Certificate. Multiple pieces of information that are bound 
together using a digital signature and sent with a message so 
that, upon checking the certificate, the recipient of the message 
can verify the authenticity and integrity of that message. The 
pieces of information bound together in an X509 certificate 
(which is the type that accompany all NICI modules) include the 
sender’s name and public key. 

NICI certificates also include the following attributes: key 
quality, certificate quality, and enterprise ID. These attributes in- 
dicate the security level of the system that generated the public- 
private key pair and the certificate, and also identify the organi- 
zation responsible for generating the certificate. 

Digital Signature. Extra data appended to a message that identi- 
fies and authenticates the sender and message data. Digital sig- 
nature is the technology used to bind together the information in 
a digital certificate. To digitally sign a message, the sender uses 
a one-way hash function to generate a string of bits called the 
hash-code from the message data. The sender then encrypts 
the hash-code. The receiver decrypts the hash (and possibly 
the data) and recomputes the hash-code. 

The hash-code the receiver computes will only be identical 
to the hash-code from the sender if the message has not been 
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modified in transit. If the two hash-codes are equal, the receiver 
can be sure that the data has not been corrupted and that it 
came from the claimed sender. 


Encryption. The process of disguising a message to ensure its 


contents remain secret from all but those intended ito see 
that message. 


Integrity. In the context of digital security, integrity describes a mes- 


sage that has not been modified in transit. The receiver of a 
message should be able to check the integrity of that message so 
that intruders cannot substitute false messages for legitimate 
ones. Digital signatures provide one way of ensuring the integrity 
of messages. (See also digital signature, confidential, authentica- 
tion, and nonrepudiation.) 


Module Authentication and Binding Library Extensions s (MABLE). 


Novell technology that authenticates an application module to a 
NICI cryptographic library module before allowing the application 
to use NICI. MABLE also provides an ongoing binding mechan- 
ism between the two modules. Together MABLE authentication 
and binding provide a coupling between an application and sup- 
porting cryptographic library that is virtually as strong as a static 
link. Because of this strong binding, NICI cryptographic compon- 
ents cannot be easily replaced or subverted, hence NICI wards 
off the crypto-with-a-hole problem. 

Nonrepudiation. In the context of digital security, nonrepudiation is 
the assurance that the sender of a message cannot later falsely 
deny having sent that message. (See also authentication, confi- 
dential, and integrity.) 

Novell International Cryptographic Infrastructure (NICI). An 
infrastructure of network cryptographic services for worldwide 
consumption, NICI supports multiple cryptographic technologies 
that offer fundamental security features, including confidentiality, 
integrity, authentication, and nonrepudiation. NICI|complies 
with diverse national import and export restrictions on the use of 
cryptography and enables the use of the strongest cryptography 
legally allowed within the country in which NICI is being used. 

NICI has met import and export restrictions worldwide. Appli- 
cations developed in the United States that provide NICI services 
for worldwide consumption will be subject only to a one-time ex- 
port review process because the application itself does not in- 
clude cryptography. NICI services are exposed through the Con- 
trolled Cryptographic Services (CCS) Application Program Inter- 
face (API) included in the latest version of the Novell Developer 
Kit (NDK). (For more information about the NDK, visit http:// 
developer.novell.com/ndk.) 

Public-Key Encryption. An encryption scheme in which each party 
exchanging messages gets a pair of keys: a public key and a 
private key. As these names suggest, public keys are published, 
and private keys are secret. Private keys are never transmitted or 
shared. The sender encrypts a message using the recipient’s pub- 
lic key, and the receiver can only decrypt that message using his 
or her private key. @ 


government regulations. These regula- 
tions prohibit companies from shipping 
hardware or software products that have 
a cryptographic hole that someone else 
could plug with any type and strength 
of cryptography. Other countries such as 
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France have similar import restrictions 
that prohibit companies from importing 
products with holes that might enable 
users to insert their own cryptography. 
To avoid this crypto-with-a-hole 
problem, developers who want to write 


applications for worldwide consumption 
typically have little choice but to write a 
different version of the same application. 
Each version would have to support the 

type and strength of cryptography accept- 
able to each country’s import and export 
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laws for cryptography. In the best case 
scenario, developers would write two 
versions of their application: one version 
to appease the restrictions on the use of 
cryptography in their own country and 
another version to pass their country’s 
export restrictions or the import restric- 
tions of the country to which developers 
wanted to ship their product. 

Ideally, developers would like a mod- 
ular approach to cryptography. However, 
dynamically loadable modules create the 
threat of crypto-with-a-hole: Pop out the 
module executing the cryptographic algo- 
rithms, pop in your own module, which 
executes a stronger version of that algo- 
rithm, and voila—you have subverted the 
cryptography provided by that particular 
application. Good luck trying to pull a 
stunt like that with NICI. NICI ensures 
crypto-without-a-hole. 

As stated a number of times, NICI has 
earned an export license from the U.S. 
government and has been approved for use 
in countries such as France and Russia, 
both of which have tight cryptographic 
import restrictions. In part, NICI has man- 
aged to gain these licenses because NICI 
guards against crypto-with-a-hole. How? 
NICI ensures that you and others cannot 
subvert the cryptographic services it pro- 
vides through several means. 

For example, the CA hierarchy housed 
on the Wang system ensures that NICI 
cannot be subverted. According to Schell, 
the Wang system enables Novell to stake 
its corporate life on the security of the 
private key at the root of the CA hier- 
archy. The security of this private key is 
essential: Armed with the private key at 
the root of the CA hierarchy, someone 
could forge a signature on a non-NICI 
cryptographic module. But because the 
private key is absolutely secure, the U.S. 
government feels confident that no one 
will be able to subvert NICI by forging 
digital signatures. 

The XIM further ensures that NICI 
cannot be subverted. Because the XIM 
checks the digital signature on the certi- 
ficates that accompany NICI modules 
before loading these modules, the XIM 
ensures that no one could substitute a 
nonauthorized module for a NICI mod- 
ule. This ability to verify the legitimacy 
of NICI modules before installing and 
loading them is assurance against crypto- 
with-a-hole and one of many reasons the 
U.S. government gave Novell approval to 
export NICI worldwide. 
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NO HOLES WHEN MABLE’S AROUND 

Another defense against crypto-with- 
a-hole and another reason Novell gained 
U.S. export approval is NICI’s use of 
Module Authentication and Binding Li- 
brary Extensions (MABLE) technology. 
MABLE technology is arguably Novell’s 
leading defender against the threat of 
someone subverting NICI cryptographic 
services. MABLE authenticates the 
NICI CCS XLIB to an application and 
continually binds the two, creating a dy- 
namic link that is essentially as strong as 
a static link. This strong link ensures that 
someone using a NICI-based application 
cannot easily replace or subvert NICI’s 
cryptographic components. 

MABLE uses a public-key challenge- 
response authentication protocol to au- 
thenticate NICI to an application when 
the application is initialized and before 
that application uses any NICI services. 
This authentication process proves to the 
application that it is about to use legiti- 
mate NICI services. In other words, 
Schell explains, “The application makes 
sure it is talking to the real NICI.” 

After this initial authentication, 
MABLE provides ongoing binding be- 
tween the NICI application and the CCS 
XLIB to ensure that the application con- 
tinues to speak to the real NICI for the 
duration of a session. “It’s one thing to au- 
thenticate at the beginning of a session,” 
explains Dan Fritch, NICI development 
manager, “but you have to ensure that 
somebody doesn’t just authenticate at the 
beginning of a session and then later say, 
‘Pll jump in during the middle of the ses- 
sion and use NICI however I want.’ So we 
have to do an ongoing binding. That way, 
you can’t just trivially replace a NICI 
module after you’ve authenticated it.” 


SEEING PAST THE CRYPTIC NATURE 
OF THE NICI ARCHITECTURE 

Not surprisingly, the NICI architecture 
is a bit cryptic. However, the following 
thumbnail sketch of the NICI architec- 
ture at work might help make the essence 
of NICI a bit more plain: Suppose an ap- 
plication requested to encrypt a particular 
file. The application would access the 
CCS XLIB’s data encryption service via 
the CCS API. The CCS XLIB would 
then speak to an XMGR, saying, in es- 
sence, “I want this file encrypted.” 

After receiving the request for user 
data encryption, the XMGR would check 
the policy dictating the use of keys and 
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algorithms on that particular server. As- 
suming the application were running on 
a server installed in the United States or 
Canada, the XMGR could select 128-bit 
Triple DES on the Domestic XENG. 

The XMGR would then send the re- 
quest to the appropriate interface on the 
Domestic XENG, which would execute 
the algorithm to encrypt the file and re- 
turn the results to the XMGR. The 
XMGR would return the results to the 
CCS XLIB, which would, in turn, re- 
turn the results to the application. 


START SINGING 

Three groups primarily benefit from 
NICI: Novell, NetWare 5 administrators, 
and NetWare 5 developers. Novell bene- 
fits from NICI because Novell can create 
one version of NetWare 5 applications 
and services for worldwide use. When 
applications are written to use the ser- 
vices the CCS XLIB has to offer, those 
applications can run on any NetWare 5 
server, in any country, using whatever 
level of cryptography that NICI provides 
on that particular server. 

NetWare 5 administrators benefit 
because upgrading their company’s cryp- 
tographic services is as easy as installing a 
new NICI module. Once the upgrade is 
in place, all of the applications that use 
cryptographic services will automatically 
have access to the latest, greatest, and 
strongest cryptography available. In addi- 
tion, NetWare 5 administrators have to 
manage only one version of NetWare 5 
and only one version of any NICI-based 
applications they are running. 

Finally, NetWare 5 developers will 
benefit because they can write one ver- 
sion of an application that uses crypto- 
graphic services and that version can be 
used worldwide. Because the application 
uses NICI services, rather than providing 
its own cryptographic services, developers 
save time in the development cycle and 
in the export approval process. Further- 
more, developers who use NICI save 
money because they don’t have to find a 
cryptographic supplier and pay that sup- 
plier for use of a cryptographic library. 

In short, NICI will have many of you 
singing new words to the 1980s song 
“Mickey”: “Hey NICI you're so fine. You’re 
so fine you blow my mind! Hey NICI!” 

Linda Boyer Kennard works for Niche As- 
sociates, an agency that specializes in writing 
and editing technical documents. Niche Asso- 
ciates is located in Sandy, Utah. @ 


Novell’s BorderManager 
Authentication Service 


Arm Your Network for Remote Users 


Cheryl Walton 


f you were the network administrator at a small bicycle- 
accessory manufacturer in Yuma, Arizona, how would 
you solve the following challenge? The company’s president 
has recently hired an inventor and a research and develop- 
ment firm. Now it’s your job to provide both the inventor, 

who works out of his home in 
White Plains, New York, and 
the research and develop- 
ment firm, whose facility is 
located in Dallas, Texas, 
with remote access to your 
company’s network. 

Because the information 
exchanged between Yuma, 
White Plains, and Dallas 
will be confidential, the 
remote-access system you 
create must be secure. In 
addition, you must be able 
to expand the remote- 
access system rapidly and 
to virtually any size. After 
all, you do not know how 
fast the company will grow 
or how big the company 
will become once it begins 
to market new products. 

The growing number 
of companies that have 
employees who telecom- 
mute—whether they work at 
home, on the road, or at a branch 
office—has left many network administrators facing this chal- 
lenge. How do you address the security problems inherent in 
providing network services to remote users, not to mention 
the difficulties of managing an extended network? Novell’s 
BorderManager Authentication Service integrates Remote 
Authentication Dial-In User Service (RADIUS) with Novell 
Directory Services (NDS) to offer security and other capa- 
bilities you need to set up and manage remote access to your 
company’s network. 

This article explains how BorderManager Authentication 
= Service integrates RADIUS with NDS to offer an easily man- 
aged RADIUS solution that provides authentication, authori- 
zation, and accounting services for remote users. This article 


also explains several additional features of BorderManager 
Authentication Service—features that make it easy for you 
to enable remote access for any number of remote users and 
to manage their user accounts. 


WHAT IS RADIUS? 
RADIUS is the authentication, 
authorization, and accounting 
protocol that Livingston Enter- 
prises Inc. (now Lucent Tech- 
nologies) developed in collab- 
oration with the Internet En- 
gineering Task Force (IETF). 
RADIUS supports dial-in user 
authentication through Point-to- 
Point Protocol (PPP), Password 
Authentication Protocol (PAP), 
Challenge Handshake Authen- 
tication Protocol (CHAP), 
UNIX login, and other authen- 
tication protocols that imple- 
ment a username and password. 
RADIUS transports authen- 
tication, authorization, and con- 
figuration information between 

a network access server and an 

authentication server, both of 

which must be RADIUS com- 

pliant. A network access server 
accepts dial-in access from tele- 
phone lines via modems or from 

Integrated Services Digital Network 

(ISDN) lines via ISDN terminal adapters. (For a list of ven- 
dors that supply RADIUS-compliant network access servers, 
visit the NetWare Connection World-Wide Web site at http:// 
www.nwconnection.com.) 

An authentication server, on the other hand, stores a data- 
base of usernames, passwords, authorization information, and 
configuration information. In addition, the authentication 
server can be the same server that is running the RADIUS 
protocol—the server that is known as the RADIUS server. 
(See Figure 1 on p. 22.) 

When a network access server sends a request to a RADIUS 
server, the RADIUS server first checks the IP address of the 
network access server making the request. If this IP address 
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Figure 1. Dial-access network using the RADIUS protocol 


does not belong to one of the network 
access servers with which the RADIUS 
server has been configured to communi- 
cate, the RADIUS server does not re- 
spond to the request. 

According to the IETF’s Request 
for Comments (RFC) 2138, if a RA- 
DIUS server receives a request from 
a network access server that is not 
on the RADIUS server’s list of config- 
ured network access servers, the RA- 
DIUS server should log the access at- 
tempt and then silently discard the 
request. When silently discarding a 
request, the RADIUS server simply 
does not respond to the requesting 
network access server. (To read RFC 
2138, go to ftp://ftp.livingston.com/ 
pub/radius/rfc2 138.txt.) 

Since RFC 2138 recommends, but 
does not require, RADIUS applications 
to log unauthorized attempts to access 
your company’s network, not all RA- 
DIUS applications perform this function. 
However, BorderManager Authentica- 
tion Service does, providing you with 
information that allows you to identify 
repeated attempts to gain unauthorized 
network access. 


SECRET, SECRET, WHO’S GOT 
THE SECRET? 

Network access servers and RADIUS 
servers use a shared secret to protect 
each user’s password and, at the same 
time, to validate one another’s identity. 
A shared secret is a well-chosen string 
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of alphanumeric characters that be- 
comes the encryption key these servers 
use to keep a user’s password secure as 
it travels between the servers. 

Like a well-chosen password, a well- 
chosen shared secret should be one that 
cannot be easily guessed and that is at 
least eight characters long, depending on 
the RADIUS server you are using. For 
example, if you were using a server run- 
ning BorderManager Authentication 
Service as your company’s RADIUS ser- 
ver, the shared secret you create should 
be a meaningless string of 20 to 30 al- 
phanumeric characters. 

When a user dials in to a network 
protected by RADIUS, he or she is 
prompted for a username and password. 
After obtaining this information (either 
directly from the user or through this 
user’s dial-in software, depending on the 
type of connection being established), 
the network access server creates an 
access request packet that includes the 
username and password. Using an en- 
cryption method based on MD5, the 
Rivest-Shamir-Adleman (RSA) mes- 
sage digest algorithm, the network access 
server then uses the encryption key ob- 
tained from the shared secret to encrypt 
the user’s password before sending the 
access request packet to the RADIUS 
server. (See Figure 1.) 

When the RADIUS server receives 
the access request packet, this server 
uses the encryption key generated from 
the shared secret to decrypt the user’s 


password. The RADIUS server then uses 
the database stored on the authentica- 
tion server to authenticate this user. For 
example, if you were using a server run- 
ning BorderManager Authentication 
Service as your company’s RADIUS 
server, this server would compare the 
username and password against the user- 
names and passwords stored in your com- 
pany’s NDS database. 

If the requesting network access ser- 
ver did not encrypt the user’s password 
using the correct shared secret, the RA- 
DIUS server could not use the decrypted 
password to authenticate the user. In 
this case, the RADIUS server would 
prepare an access reject packet and send 
it to the network access server. In other 
words, if the requesting network access 
server did not have the shared secret, 
the RADIUS server would deny any 
requests it receives from that network 
access server. The RADIUS server would 
also prepare an access reject packet if 
any of the specified user requirements 
were not met—for example, if the user 
mistyped his or her username. 

If the user were successfully authenti- 
cated, the RADIUS server would send 
an access accept packet to the network 
access server. This packet would contain 
all of the information necessary to de- 
liver the network services the user is 
authorized to receive. 

In addition to protecting your com- 
pany’s network via a shared secret and 
encrypted passwords, a RADIUS server 
can be configured to instruct the net- 
work access server to “hang up” on a 
user and call the user back at a specified 
telephone number. This callback feature 
is useful if you want to require remote 
users to access your company’s network 
only from specific locations. 


IT’S BETTER WITH BORDERMANAGER 
AUTHENTICATION SERVICE 

The IETF is in the process of establish- 
ing RADIUS as an official Internet stan- 
dard. (See RFC 2138 and 2139. To read 
RFC 2139, go to ftp://ftp.livingston.com/ 
pub/radius/rfc2139.txt.) However, ven- 
dors such as Novell have already made 
RADIUS the de facto industry standard. 
RADIUS performs even better when 
used in conjunction with BorderManager 
Authentication Service, which gives you 
flexibility to do the following: 


e Choose a platform 


© Choose dial-in software 

e Expand your company’s remote-access 
system as the number of users grows 

e Update your company’s remote-access 
system as technologies change 


Platform of Choice: NetWare or 
Windows NT 

You can install BorderManager Au- 
thentication Service on a server run- 
ning NetWare 4.11 or above or ona 
server running Windows NT 4.0 or 
above. This cross-platform support 
means you can use NetWare or Win- 
dows NT servers running BorderMan- 
ager Authentication Service together 
on the same network. You can also sub- 
stitute a NetWare server for a Windows 
NT server, and vice versa. 


Dial Me Up 

BorderManager Authentication Ser- 
vice provides support for a variety of 
dial-in software. For example, Border- 
Manager Authentication Service works 
with terminal emulation software, such 
as Hyper Terminal, and with software 
that supports PPP, such as the dial-in 
software included with Windows 95 and 
Windows NT 4.0. Since BorderManager 
Authentication Service doesn’t require 
you to implement a particular type of 
dial-in software, the software you install 
on a user’s workstation depends mainly 
on the type of RADIUS-compliant net- 
work access server that provides the 
user with remote access to your com- 
pany’s network. 

For example, if BorderManager Au- 
thentication Service is running on a 
NetWare 4.11 server and remote users 
want to access NetWare services, both 
the network access server and the dial- 
in software you choose must support 
IPX. Also, like the network access ser- 
ver on your company’s remote-access 
system, the dial-in software you choose 
must support authentication by user- 
name and password. 


Room to Grow With NDS 

In addition to allowing you to choose 
from a variety of dial-in software, Bor- 
derManager Authentication Service al- 
lows you to add a virtually unlimited num- 
ber of users to your company’s remote- 
access system. When you install Border- 
Manager Authentication Service, the 
installation program copies RADIUS 
server files to one or more of your com- 


pany’s NetWare or Windows NT ser- 
vers. These servers then become RA- 
DIUS servers. The installation pro- 
gram also extends the NDS schema to 
accommodate dial-in access to your 
company’s network, thus enabling 
the RADIUS server (or servers) to au- 
thenticate remote users through the 
NDS database. 

Since BorderManager Authentica- 
tion Service is fully integrated with 
NDS and includes a snap-in module 
for Novell’s NetWare Administrator 
(NWADMIN) utility, you can assign 
remote-access privileges—to individual 
users or to groups of users—through the 
same database you use to manage your 
company’s network. You can also con- 
figure the NDS database to accommo- 
date a virtually unlimited number of 
remote users. 

After you have installed BorderMan- 
ager Authentication Service, you must 
create at least one Dial Access System 
object in the NDS tree to provide dial- 
in access to your company’s network. 


Tools for Server Management | 


(You must also define a password for the 
Dial Access System object. To find out 
what this password does and how to 
keep it hidden from users who have ac- 
cess to the RADIUS server console, see 
“Where Did It Go?” on p. 26.) The Dial 
Access System object contains the con- 
figuration information that RADIUS 
servers on the network use to return 
connection information to requesting 
network access servers. 

Whether you have one or more RA- 
DIUS servers, you can use the Dial 
Access System object to manage all 
of them. This capability allows you to 
add RADIUS servers to your company’s 
remote-access system without signifi- 
cantly increasing the amount of time 
it takes to manage that system. 


Keeping Up With Changing 
Technologies 

BorderManager Authentication Ser- 
vice also allows you to incorporate new 
technologies as they become available. 
Along with the Dial Access System 
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Where Did tt Go? 


When you use the NetWare Administrator (NWADMIN) 
utility to create a Dial Access System object, you must give 
that object a password. BorderManager Authentication Service 
uses the password you create to protect the encryption keys 
that, in turn, protect both remote users’ passwords and Re- 


mote Authentication Dial-In Service (RADIUS) shared secrets. 
In addition, RADIUS servers use the Dial Access System pass- 


word to log in to the Dial Access System object, which allows 
RADIUS servers to access authentication and connection in- 
formation through Novell Directory Services (NDS). Like the 
RADIUS shared secret, the Dial Access System password 
should be a random string of alphanumeric characters that 
is from 20 to 30 characters. 

BorderManager Authentication Service’s RADIUS service 
functions as a NetWare Loadable Module (NLM). As a result, 


RADIUS is on the NetWare server, but is not available and ac- 


tive until you load RADIUS. To load BorderManager Authenti- 


cation Service’s RADIUS services on a NetWare 4.11 or above 


server, type the following command at the server console: 


LOAD RADIUS 


After you enter this command, you will be prompted to enter 


the name and the password of the Dial Access System object 
that the RADIUS server will log in to. 

When you install BorderManager Authentication Service, 
the installation program includes the LOAD RADIUS command 
in the AUTOEXEC.NCF file so that RADIUS will load auto- 
matically each time you reboot the server. Unless you edit the 
AUTOEXC.NCF file, however, you will be prompted to supply 
the Dial Access System object name and password each time 


: FEATURE BorderManager Authentication Service 


“name=(Dial Access System object name)” 
“oassword=(Dial Access System object password)” 


You replace Dial Access System object name and Dial Access 
System object password with the actual name of your company’s 
object and the actual password. 

Although editing the AUTOEXEC.NCF file allows RADIUS to 
load unattended whenever the server is rebooted, this option 
also makes the Dial Access System object password javailable 
to anyone with access to your server's console. Fortunately, 
BorderManager Authentication Service allows you to hide the 
Dial Access System object password. You simply enter the fol- 
lowing command at the server console after you load RADIUS 
the first time. 


RADIUS Password SET 


The RADIUS Password SET command stores the Dial Access 
System password in an encrypted form, preventing users who 
have access to the server console from accessing the Dial Ac- 
cess System password. 

If you hide this password, only the name of the Dial Access 
System object must be specified if RADIUS is loaded. In other 
words, if the server went down while you were away, RADIUS 
could be loaded in your absence even if the person |rebooting 
the server were not authorized to know the Dial Access Sys- 
tem password. 

If you change the Dial Access System password after hiding 
the previous Dial Access System password, you must either 
enter a SET command with the new password at the server 
console, or you must clear the previous password and! enter the 
new password each time RADIUS is loaded. To clear a pre- 
viously hidden password, type the following command at the 


RADIUS is loaded (as you are when you load the RADIUS 


services manually). You must add the following lines to the 


AUTOEXEC.NCF file: 


object, Novell recommends that you cre- 
ate a Dial Access Profile object, which 
allows you to configure a common set of 
attributes for all remote users, rather than 
configuring these attributes for each con- 
tainer object or for each User object. At- 
tributes define specific authentication, 
authorization, and configuration options 
that are available to remote users. 

For example, User-Password is an 
authentication attribute, Callback is 
an authorization attribute, and Framed 
Routing is a connection attribute. If 
you wanted users to receive PPP service, 
you would create a Dial Access Profile 
object and define the Framed value for 
the Service Type attribute and the PPP 
value for the Framed Protocol attribute. 
(For more information about defining 
attributes, see “Creating a Dial Access 


Profile Object” on p. 28) 
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RADIUS Password CLEAR 


BorderManager Authentication 
Service uses the attribute dictionary 
file to store information about a collec- 
tion of attributes. The attribute diction- 
ary file stores information about all of 
the generic and vendor-specific RA- 
DIUS attributes currently supported by 
BorderManager Authentication Service. 

Generic RADIUS attributes consist 
of the attributes listed in RFC 2138, 
including User-Name, User-Password, 
CHAP-Password, Network Access 
Server (NAS) IP-Address, Framed Rout- 
ing, and Framed-IPX-Network. Since 
many vendors have designed RADIUS- 
compliant network access servers to 
enable attributes outside the scope of 
RFC 2138, BorderManager Authenti- 
cation Service’s attribute dictionary file 
also stores information about many of 
these vendor-specific attributes. 


server console: | 


| 


BorderManager Authentication Ser- 
vice supports current technologies via 
the vendor-specific attributes in the 
attribute dictionary file. Novell plans 
to make emerging technologies avail- 
able by extending the attribute dic- 
tionary file to include new attributes 
that vendors offer in future products, 
as well as attributes that the IETF 
might add as it extends the RADIUS 
standard. With BorderManager Au- 
thentication Service, you can incor- 
porate emerging technologies by simply 
downloading the latest attribute dic- 
tionary file from Novell’s web site and 
then adding the attributes you want to 
enable to the Dial Access Profile object. 
(For more information about how to 
add attributes to a Dial Access Profile 
object, see “Creating a Dial Access 


Profile Object” on p. 28.) 


BUT THAT’S NOT ALL 

In addition to the features already men- 
tioned, BorderManager Authentication 
Service offers the following benefits: 


¢ The ability to outsource remote access 

e The ability to assign separate dial-in 
passwords : 

© Group-based management 

¢ Dial access system caching 

e Accounting and audit logs 


Your Place or Mine? 

A RADIUS server can act as a proxy 
RADIUS server for other RADIUS 
servers. For example, a server running 
BorderManager Authentication service 
can act as a proxy RADIUS server or 
can communicate with other RADIUS 
servers that are acting as proxy RA- 
DIUS servers. As a result, you can out- 
source remote access by contracting 
with an Internet Service Provider (ISP) 
that provides RADIUS proxy services. 
(To view a list of some [SPs that pro- 
vide RADIUS proxy services, visit the 
NetWare Connection web site at http:// 
www.nwconnection.com.) 

Outsourcing remote access through 
an ISP can save you time and money 
because you do not have to purchase, 
maintain, and manage costly hardware 
such as network access servers, modems, 
ISDN terminals, and routers. For ex- 
ample, suppose that you created a RA- 
DIUS server by installing BorderMan- 
ager Authentication Service on a 
NetWare 5 server and that you con- 
tracted with an ISP to provide remote 
access to your company’s network. In 
this case, remote users would dial in to 
a RADIUS-compliant network access 
server that would be owned and main- 
tained by your ISP. (See Figure 2.) 

The ISP’s network access server 
would then route a user’s request for ac- 
cess to a proxy RADIUS server, which 
would also be owned and maintained by 
your ISP. The ISP’s proxy RADIUS ser- 
ver would use the encryption key de- 
tived from the shared secret to encrypt 
the user’s password before sending the 
access request packet to your company’s 
RADIUS server. 

Upon receiving the access request 
packet, your company’s RADIUS server 
would decrypt the user’s password and 
authenticate the user through the NDS 
database. The RADIUS server would 


then send an access accept packet to the 
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Figure 2. Dial-access network that uses an ISP to provide RADIUS proxy services 


ISP’s proxy RADIUS server, which 
would forward this packet to the ISP’s 
network access server. The network ac- 
cess server, in turn, would establish the 
connections necessary to provide the 
user with any network services he or 
she was authorized to access. 

In addition to running BorderMan- 
ager Authentication Service, you could 
run other services on the NetWare 5 
server, including NDS. In other words, 
the NetWare 5 server could do double- 
duty by acting as both a RADIUS server 
and an authentication server. (Alter- 
nately, BorderManager Authentication 
Service includes a two-user version of 
NetWare 4.11, so you could dedicate 
a server to RADIUS authentication 
without having to purchase additional 
software for that server.) 


May I See a Second ID? 

In addition to providing outsourcing 
capabilities, BorderManager Authentica- 
tion Service allows you to assign remote 
users two passwords: one for accessing 
the network and the other—the NDS 
password—for accessing network re- 
sources. After a server running Border- 
Manager Authentication Service sends 
an access accept packet to a network 
access server located on your company’s 
network, the user is granted only the 
ability to connect to the network. If an 
ISP provides the network access server 
the user dials in to, the user can access 
only the ISP’s network. In either case, 


the user must log in a second time to 
receive access to the network resources 
(such as NetWare file and print services) 
available to her or him through NDS. 

When you create a Dial Access Sys- 
tem object by using the snap-in mod- 
ule for the NWADMIN utility, you are 
prompted to choose one of the following 
password options: 


e Use Separate Dial-Access Passwords 
e Use Novell Directory Services 
Passwords 


If you choose the Use Separate Dial- 
Access Passwords option, you can assign 
remote users separate, non-NDS pass- | 
words to access your company’s network. | 
Since all network access servers, RA- | 
DIUS servers, and proxy RADIUS ser- 
vers have access to users’ clear text pass- 
words, this option provides an extra 
level of security if an ISP owns the hard- | 
ware that provides dial-in access to your 
company’s network. In this case, the 
ISP’s network access server and proxy 
RADIUS server would have clear text 
access only to non-NDS passwords. The 
NDS passwords that grant users access 
to network resources would not be avail- 
able to these servers. 

You should select the Separate Dial- 
in Passwords option if your company’s 
network access server or your ISP’s net- 
work access server sends access request 
packets via CHAP. CHAP servers re- 
quire the RADIUS server to access the 
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Creating a Dial Access Profile Object 


To create a Dial Access Profile object for BorderManager 


Authentication Service, you use the NetWare Administrator 
(NWADMIN) utility to complete the following steps: 


Is 


Select or create the Organizational Unit (OU) object in which 
you want the Dial Access Profile object to reside. 


2. Select Create from the Object menu. The New Object dialog 
box appears. 

3. Select Dial Access Profile, and then click the OK button. 

4. Enter a name for the Dial Access Profile object, and then click 
the Create button. 

5. Double-click the Dial Access Profile object you just created. 
The Dial Access Profile dialog box appears. 

6. Select Attributes, and click the Add button. 

7. Double-click either the Generic option or one of the vendors 


listed below the Vendor Specific option. If you select the 
Generic option, a list of attributes required by Request For 
Comments (RFC) 2138 appears. These attributes include 
User-Name, User-Password, Challenge Handshake Authen- 
tication Protocol (CHAP) Password, Network Access Server 
(NAS) IP-Address, Framed Routing, and Framed-IPX-Network. 
Click the attributes you want to implement. 


| 
that particular network access server supports. Click the 
attributes you want to implement. If your company uses 
more than one type of network access server, you can add 
other vendors’ attributes as well. (You need to create only 
one Dial Access Profile object, even if your company has 
several network access servers.) | 
8. Select the attributes you want to add from the list, and click 
the OK button. 
9. When you are finished adding attributes, uncheck the Add 
Another Attribute box, and click the OK button. 
10. Click the OK button again. 


If the vendor of your RADIUS-compliant network access 
server has extended attributes and that vendor does not appear 
in the list of extended attributes supported by BorderManager 
Authentication Service, you can request that Novell make the 
vendor’s attribute extensions available: Simply send an e-mail 
message to Novell at BAASComments@Novell.com. 

You can also use this e-mail address to request that Novell 
add attributes to the attribute dictionary file. (Note: The RA- 
DIUS server does not recognize attributes that your network 
access server does not support.) Novell plans to update the 
attribute dictionary file and make these updates available on 


the Novell Support Connection World-Wide Web site at http:// 


To choose vendor-specific attributes, click the vendor 
that made your company’s or your ISP’s network access 
server. A list appears, containing the extended attributes 


authenticating password in clear text, 
and NDS passwords are not available in 
clear text. 

If you choose the Use Novell Direc- 
tory Services Passwords option, remote 
users can use the same password (their 
NDS password) for both logins. This 
option is convenient for remote users 
because they have to remember only 
one password. 


Join the Group 

BorderManager Authentication 
Service’s group-based management fea- 
ture makes it easier for you to control 
remote users’ access to network re- 
sources. With group-based manage- 
ment, you can control remote users’ 
access to network resources such as 
network access servers, firewalls, and 
high-speed connections via Dial Ac- 
cess System objects and Group objects, 
rather than by controlling access on 
a user-by-user basis. 

To use group-based management in 
BorderManager Authentication Ser- 
vice, you use the snap-in module for 
the NWADMIN utility to create a sep- 
arate Dial Access System object for 
each resource to which you want to 
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site periodically. 


control access. You then configure sep- 
arate RADIUS servers to access each 
Dial Access System object you created. 
(Each RADIUS server can access only 
one Dial Access System object. For 
more information, see “Where Did It 
Go?” on p. 26). 

You also create a separate Group ob- 
ject for each Dial Access System object, 
and to each Group object, you assign 
rights to one of the Dial Access System 
objects. Finally, you add individual User 
objects to the Group objects. 

For example, suppose you were the 
network administrator at the bicycle- 
accessory manufacturer mentioned earlier 
and you wanted to grant the inventor in 
White Plains and two of the researchers 
in Dallas access to a particular firewall. 
You would first use the NWADMIN 
utility to create a Dial Access System 
object (called, for example, FWALL1) 
for this firewall and to configure a RA- 
DIUS server to access that object. 

Next, you would create a Group ob- 
ject (called, for example, FWALL users) 
that granted access rights to the FWALL1 
object. You would then add the in- 
ventor and the two researchers to the 
FWALL users object. 


support.novell.com/products/bmas. If you are a apenas 
Authentication Service customer, you may want to c 


eck this 


| 
| 
| 


Just as you can add any number of 
users to a Group object in general, you 
can add any number of remote users to 
a Group object that grants users rights 
to a Dial Access System object. Con- 
versely, you can add an individual re- 
mote user to any number of Group ob- 
jects that control users access to Dial 
Access System objects. 

For example, suppose you wanted 
the entire staff of the research and de- 
velopment firm your company hired to 
have access to a particular set of net- 
work access servers on your company’s 
network. You could create a Dial Access 
System object for that set of network 
access servers, configure a RADIUS 
server to access the Dial Access Sys- 
tem object, and create a Group object 
(called, for example, RDSTAFF) with 
rights to the Dial Access System object. 
You could then add every member of 
the research and development staff to 
the RDSTAFF object, including the 
two researchers who were previously 
granted access to the firewall through 
the FWALL Lusers object. If the research 
and development staff grew, you could 
add the new employees to the RDSTAFF 
object as well. 


Caching In on BorderManager 
Authentication Service 

BorderManager Authentication Ser- 
vice’s dial-access caching feature allows 
your company’s RADIUS server to ac- 
cess authorization, authentication, and 
configuration information quickly and 
easily. The first time a user dials in to 
your company’s network, BorderManager 
Authentication Service searches the 
Dial Access System object for the infor- 
mation necessary to authenticate the 
user and to provide the network services 
he or she is authorized to receive. Bor- 
derManager Authentication Service 
then stores this information in a dial- 
access cache. 

With dial-access caching, users don’t 
need to wait for BorderManager Au- 
thentication Service to search the Dial 
Access System object for authentica- 
tion, authorization, and configuration 
information every time they request 
access to the network. Instead, Border- 
Manager Authentication Service ac- 
cesses and delivers this information 
from cache, which both speeds up re- 
mote access to and reduces traffic on 
your company’s network. 

In addition, BorderManager Authen- 
tication Service checks the Dial Access 
System object each minute. If this ob- 
ject has been modified, BorderManager 
Authentication Service updates the au- 
thentication, authorization, and con- 
figuration information stored in its dial- 
access cache to reflect the change. As 
a result, only currently authorized con- 
nections and access to network services 
are available to remote users. 


Accounting and Auditing 
Made Easy 

Dial-access caching may facilitate 
efficient dial-in connections to your 
company’s network, but how do you get 
information about these connections? 
To provide you with the connection 
information you need, BorderManager 
Authentication Service generates ac- 
counting and auditing logs that record 
this information. 

Upon installation, BorderManager 
Authentication Service automatically 
enables RADIUS accounting and audit- 
ing services. By default, these services 
are hosted on the same physical server as 
RADIUS authentication services. 

BorderManager Authentication Ser- 
vice’s accounting logs, like all RADIUS 


accounting logs, offer the following 
information: 


e Which users are using remote-access 
services 

e When users are using remote-access 
services 

¢ How long users are using remote- 
access services 


You can use the information stored 
in BorderManager Authentication Ser- 
vice’s accounting logs to help you trou- 
bleshoot problems, perform a statistical 
analysis, and provide your company’s 
billing department with information 
about user accounts. 

When a RADIUS session begins, the 
network access server sends an account- 
ing request packet to the RADIUS ser- 
ver. (A session officially begins when 
the network access server first provides 
service to the user and officially ends 
when the service ends.) The accounting 
request packet contains information 
such as the user’s username and pass- 
word and the type of service the net- 
work access server is delivering to this 
user. The RADIUS server logs this in- 
formation in an ASCII text file. The 
RADIUS server then returns a message 
to the network access server, acknowl- 
edging that the accounting request 
packet was received. 

Similarly, when the session ends, the 
network access server sends another ac- 
counting request packet that contains 
the user’s username and password, the 
type of service that was delivered to the 
user, and other information. The RA- 
DIUS server logs this information in 
an ASCII text file and once again sends 
the network access server a message, ac- 
knowledging receipt of the accounting 
request packet. (If you are running 
BorderManager Authentication Service 
on RADIUS proxy servers in your com- 
pany’s remote-access system, you should 
be aware that an accounting request 
packet is not forwarded but is recorded 
on the first RADIUS server that receives 
this packet.) 

By default, RADIUS accounting log 
files are stored in the comma-delimited 
format. (To find out how you change 
the default parameters for RADIUS 
accounting and auditing services, see 
“Setting Accounting and Auditing 
Parameters” on p. 30.) The accounting 
log files are named YYYYMMDD.DAT. 


YYYY is the year, MM is the month, and 
DD is the day the accounting log roll- 
over period begins. 

For example, if you set the account- 
ing log rollover period to Monthly, and 
tomorrow’s date were January 1, 1999, 
the accounting log file that contained 
information about today’s RADIUS ses- 
sions would be named 19981201.DAT. 
In this case, a new accounting log file 
named 19990101.DAT would be cre- 
ated at midnight, and information 
about the RADIUS sessions that oc- 
curred during the month of January 
would be recorded in this file. By de- 
fault, accounting log files are set to roll 
over on a daily basis, but you can also 
set these files to roll over at the begin- 
ning of each week or at the beginning 
of each month. (See “Setting Account- 
ing and Auditing Parameters” on p. 30.) 

You can import the information 
stored in accounting log files into data- 
base and spreadsheet applications that 
support comma-delimited files, including 
Microsoft Excel. (By default, RADIUS 
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Setting Accounting and Auditing Parameters 


“FEATURE BorderManager Authentication Service 


server console: 


BorderManager Authentication Service allows you to con- 


figure its accounting and auditing services. The following is 
a list of accounting and auditing parameters for BorderMan- 


UNLOAD RADIUS 


ager Authentication Service and the default settings for these 


parameters: 


serverlype = [accounting/authentication] (The default setting is 


both accounting and authentication.) 


acctPath = <RADIUS accounting directory> (The default set- 
ting is SYS:\ETC\RADIUS\ACCT for NetWare and C:\NOVELL\ 


BMAS\ACCT for Windows NT.) 


acctPort = <UDP port for RADIUS accounting> (The default 


setting is 1646.) 


LOAD RADIUS parameter | 


4.11 or above server, you enter the following commands at the 


For example, if you wanted to set the accounting log file to 
rollover on a monthly basis, you would unload RADIUS services 


fileFormat = [standard/comma] (The default setting is comma, 


meaning comma delimited.) 


rollOver = [daily/weekly/monthly] (The default setting is daily.) 
RADIUS SystemLog [On\Off] (The default setting is On.) 2 
RADIUS SystemLog <file_location> (The default setting is SYS:\ 3 
ETC\RADIUS\LOG for NetWare and C:\NOVELL\BMAS\LOG 4. Click Stop, and then click Startup. 
5 


for Windows NT.) 


RADIUS SystemLoglnterval <number_of_days> (The default 


setting is 7.) 


To change these auditing and accounting parameters when 
BorderManager Authentication Service is running on a NetWare 


accounting log files are located in the 
SYS:\ETC\RADIUS\ ACCT directory 
if you are running BorderManager Au- 
thentication Service on a NetWare ser- 
ver. If you are running BorderManager 
Authentication Service on a Windows 
NT server, these files are located in the 
C:\Novell\BMAS\ ACCT directory 
by default.) 

RADIUS auditing log files provide 
a record of all login attempts, whether 
successful or unsuccessful. Although 
auditing log files are typically used for 
troubleshooting, these files are also a 
reliable means of identifying the at- 
tempts of unauthorized users to access 
your company’s network. In addition, 
auditing log files provide information 
for use in accounting systems that are 
based on remote connection time. 

RADIUS auditing log files are named 
YYYYMMDD.log. YYYY is the year, MM 
is the month, and DD is the day the 
auditing log rollover period begins. By 
default, these files are located in the 
SYS:\ETC\RADIUS\LOG directory 
on a NetWare server and in the C:\ 
NOVELL\BMAS\LOG directory on 
a Windows NT server. 

Unlike accounting log files, which 
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and enter the following command at the server console: 


LOAD RADIUS rollOver = monthly 


| 


| 
To change RADIUS accounting parameters for BorderMan- 
ager Authentication Service on a Windows NT server, you would 
complete the following steps: 


1. Select Settings from the Start menu on the Windows NT 


server console. 


. Select Control Panel, and then double-click Services. 
. Select BorderManager Authentication Service. | 


| 


. In the Log On As field, enter the username you use to 


you can set to begin at midnight on the 
first day of each week or each month, 
auditing log files always begin at mid- 
night on each day. A RADIUS server 
stores these daily auditing log files for a 
specified interval and deletes auditing 
log files that exceed that interval. (Ac- 
counting log files are not deleted.) 

For example, suppose today were 
December 17, 1998 and the auditing log 
interval were set to seven days (as it is 
by default). When the 19981217.LOG 
file was created at midnight this morn- 
ing, the 19981210.LOG file would have 
been automatically deleted. You can 
set the rollover interval for RADIUS 
auditing log files to any number of 
days. (See “Setting Accounting and 
Auditing Parameters.”) 


CONCLUSION 
Whether you are adding remote- 

access services to a multiplatform WAN 
or to a small LAN, such as the network 
belonging to our hypothetical bicycle- 
accessory manufacturer, BorderManager 
Authentication Service provides more 
than RADIUS security. Cross-platform 
capabilities, an extendable attribute dic- 
tionary file, group-based management, 


. After you enter the parameter options, click Start. © 


authenticate to BorderManager Authentication Service. 
6. Enter your password. 
7. Select Automatic from the Startup Type list. 
8. Enter parameter options in the Startup Parameters field. 
9 


I 


and dial-access system caching are only 
a few of the features that make Border- 
Manager Authentication Service’s RA- 
DIUS solution unique. 

With BorderManager Authentication 
Service, you can manage your company’s 
remote-access system just as you manage 
the rest of your company’s network— 
through NDS and the NWADMIN util- 
ity. You can provide dial-in access to 
remote users via any network access ser- 
ver that is RADIUS compliant. And in 
many cases, these users can even access 
your company’s network by using the 
dial-in software they are most comfort- 
able with. 

For more information about Border- 
Manager Authentication Service, visit 
Novell’s web site at http://www.novell. 
com/bordermanager/bmas. You can also 
participate in Novell’s “Try Before You 
Buy” program. You can download a trial 
version of BorderManager Authentica- 
tion Service from Novell’s web site at 
htttp://www.novell.com/bordermanager/ 
bmas/tbyb.html. 

Cheryl Walton works for Niche Asso- 
ciates, an agency that specializes in writing 
and editing technical documents. Niche 
Associates is located in Sandy, Utah. @ 
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Enhancements 
In NetWare 5 


Editor’s Note: Does your company need Novell Directory Services 
(NDS)? If your company is using NDS already, is your company us- 
ing NDS to its full potential? Over the next year, the Novell Certified 
Professional section will focus on NDS, explaining how you can use 
NDS today to better manage your company’s network. The Novell 
Certified Professional section will feature NDS-enabled products, 
NDS enhancements, how-to articles, and tips and tricks. 


i. etWare 5 makes integrating your company’s network with 
the Internet easier than ever before and helps you manage 
your company’s network more efficiently. NetWare 5 even makes 
users more productive. As with NetWare 4, Novell Directory 
Services (NDS) plays a significant role in delivering these bene- 
fits in NetWare 5. 

Novell has enhanced NDS to support the new features of 
NetWare 5 such as Zero Effort Networks (Z.E.N.works), Domain 
Naming System (DNS)/Dynamic Host Configuration Protocol 
(DHCP) Services, Novell Distributed Print Services (NDPS), 
and Novell Storage Services (NSS). NetWare 5 also offers other 
NDS enhancements, including the following: 


¢ Protocol independence 

e Enhanced NDS synchronization 

¢ Improved performance 

e Better tracking of external references 
e Security enhancements 

© Catalog services 


e WAN traffic manager 


PROTOCOL INDEPENDENCE 

Probably the most significant change in NetWare 5 is proto- 
col independence. In NetWare 5, Novell has made its core com- 
munications layer, NetWare Core Protocol (NCP), independent 
of IPX. As a result, you can configure your company’s NetWare 5 
servers to support IP only, IPX only, or both IPX and IP. 

In NetWare 5, NDS is also protocol independent, supporting 
both IP and IPX. This protocol independence provides better 
interoperability, which makes it easier for you to connect your 
company’s network to the Internet. 

Novell also changed the way NDS advertises and discovers 
NDS tree names. In NetWare 4, NDS relies on Service Adver- 
tising Protocol (SAP) to help devices discover NDS trees and 
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other service information on the network. NetWare 4 servers use 
SAP to broadcast NDS tree names and other service information 
on the network every 60 seconds. Broadcasting these services can 
generate a significant amount of network traffic. 
If IP is enabled in NetWare 5, NDS can use Service Location 
Protocol (SLP) to discover NDS trees. SLP eliminates frequent 
broadcasts, significantly reducing the amount of network traffic 
generated by advertising services. Rather than broadcasting ser- 
vice information every 60 seconds, SLP stores this information in 
a service agent. (In large networks, you can use directory agents 
to provide service information about multiple network services.) 
When an application needs a service, an SLP user agent ini- 
tiates a discovery for the application. The user agent queries the 
service agent for the service’s attributes, and the service agent 
responds, providing the network address of the service. (For more 
information about SLP, see “Service Location Protocol: Discover- 
ing Services in a Pure IP Environment,” NetWare Connection, 
July 1998, pp. 32-37. You can download this article from http:// 
www.nwconnection.com/jul.98/slp78.) 


ENHANCED NDS SYNCHRONIZATION 

In NetWare 5, Novell has also changed the NDS synchroni- 
zation algorithms to transitive synchronization. Transitive syn- 
ehsnieen provides the following benefits: 


¢ Allows servers in a mixed IPX and IP environment to syn- 
chronize NDS changes 
e Reduces NDS synchronization traffic 


The NDS synchronization process in NetWare 4 requires each 
server in a replica list to communicate and synchronize with all 
of the other servers in that replica list. (A replica list includes 


all of the servers that hold a replica of the same partition.) For 


example, suppose you stored replicas of 
Partition A on three servers: SRV-1, SRV- 
2, and SRV-3. To synchronize partition 
changes, SRV-1 must synchronize with 
SRV-2 and SRV-3, SRV-2 must synchro- 
nize with SRV-1 and SRV-3, and SRV-3 
must synchronize with SRV-1 and SRV-2. 

In addition to generating excess net- 
work traffic, this method of synchronizing 
NDS replicas also creates a problem in a 
mixed IPX and IP environment. For ex- 
ample, suppose the servers in the previous 
example were NetWare 5 servers. Also 
suppose SRV-1 was running IPX only, 
SRV-3 was running IP only, and SRV-2 
was running both IPX and IP. If NetWare 
5 used the NetWare 4 method of NDS 
synchronization, the servers could not 
synchronize the replicas because SRV-1 
and SRV-3 could not communicate 
directly with each other. 

Transitive synchronization in NetWare 
5 eliminates the need for each server in a 
replica list to communicate with all of the 
other servers in the replica list. Using tran- 
sitive synchronization, NDS can synchro- 
nize changes made to one replica through 
intermediaries. For example, if SRV-1 syn- 
chronized with SRV-2 and SRV-2 synchro- 
nized with SRV-3, SRV-1 would not need 
to synchronize with SRV-3. Transitive syn- 
chronization allows servers in a mixed [PX 
and IP environment to synchronize NDS 
changes and reduces the amount of net- 
work traffic generated by the NDS syn- 
chronization process. 

To ensure backward compatibility with 
NetWare 4 servers, NetWare 5 servers 
automatically use the NetWare 4 NDS 
synchronization process with NetWare 4 _ 
servers. However, because NetWare 5 
servers introduce changes to the NDS 
schema that previous versions of NDS do 
not understand, you should update the 
NDS versions running on NetWare 4 
servers before you add NetWare 5 to the 
network. Novell recommends that you up- 
date NetWare 4.1 servers to DS 5.15 and 
all NetWare 4.11 servers to DS 6.00. (For 
more information, visit http://support. 
novell.com.) 


IMPROVED PERFORMANCE 

Novell has also improved the perfor- 
mance of NDS by providing additional 
NDS caching in NetWare 5. In NetWare 
4, NDS cached only the Access Control 
List (ACL) information. In NetWare 5, 
Novell has added a change cache. 

In NetWare 5, NDS remembers which 
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Figure 1. In NetWare 5, you can specify which rights should be inherited by the objects 


that reside in a container object. 


objects have been changed. When syn- 
chronizing changes, a replica does not 
have to scan the entire partition. Instead, 
the replica looks at the change cache. 
Caching all reads and writes of NDS ob- 
jects improves the performance of NDS. 


BETTER TRACKING OF EXTERNAL 
REFERENCES 

NetWare 5 also includes distributed 
reference links, which change the way 
that NDS keeps track of external refer- 
ences. NDS creates an external reference 
on a server when you perform an opera- 
tion that affects a particular object and 
the server does not hold a replica of the 
partition in which the object resides. 

To keep track of all of the servers that 
contain external references to an object, 
NDS creates backlinks at the object level. 
When you make a change to an object, 
such as moving, renaming, or deleting the 
object, NDS uses these backlinks to up- 
date all of the servers that contain an 
external reference to that object. With 
backlinks, a server that updates external 
references must communicate with every 
server that contains a read-write replica of 
the partition that holds the backlink. 

Distributed reference links in NetWare 
5 contain the distinguished name of the 
partition root rather than the names of all 
the servers that contain external refer- 
ences. With distributed reference links, a 
server can query any read-write replica of 
the partition to find out which servers in 


the partition have external references. 
The partition root then resolves updating 
the external references for servers within 
that partition. 

To maintain compatibility with pre- 
vious versions, NDS in NetWare 5 main- 
tains both distributed external references 
and backlinks. For example, suppose you 
stored replicas of Partition A on SRV-1 
and SRV-2. Also suppose you then granted 
Bob, whose User object is in Partition A, 
file rights to a directory on server SRV-3. 
Because SRV-3 does not hold a replica of 
Partition A, NDS would create an exter- 
nal reference for the Bob User object on 
SRV-3. NDS would then create a distri- 
buted reference link and a backlink to 
SRV-3 in the Bob User object. 

Now suppose that you moved the Bob 
User object from the .provo.novell con- 
tainer object to the .sandiego.novell con- 
tainer object. NDS would have to update 
all of the external references for the Bob 
User object to reflect its new location. 

Using distributed reference links, the 
server performing the update could simply 
contact the partition root, which would 
then update the external references on 
servers within that partition. Using back- 
links, the server performing the update 
would have to contact each server that 
contains an external reference. 

Novell has also added temporary ex- 
ternal references to NDS in NetWare 5. 
When a user authenticates through a 
server that does not contain a replica of 
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Figure 2. In NetWare 5, you can create catalogs, which speed up access to information in 


the NDS database. 


the partition in which the User object 
resides, NDS creates a temporary exter- 
nal reference. NDS cleans up any unused 
temporary external references each time 
the NDS janitor process runs, reducing 
the number of external references on your 
network. (The NDS janitor background 
process periodically cleans up and opti- 
mizes the NDS database.) 


SECURITY ENHANCEMENTS 

NetWare 5 includes security enhance- 
ments that allow you to control which 
NDS object and property rights are in- 
herited. In NetWare 4, subordinate ob- 
jects automatically inherit the object 
rights and all properties rights that are 
granted to parent containers. When you 
grant object rights and all properties rights 
to a container object, these rights flow 
down the NDS tree to all objects below. 
(NetWare 4 groups property rights into 
two categories: all properties and selected 
properties. Despite the name, all prop- 
etties rights are not all inclusive.) 

Selected properties rights, on the other 
hand, are not inherited in NetWare 4: For 
example, when you grant rights to selected 
properties such as an address or telephone 
number property, objects below the con- 
tainer cannot inherit the rights. 

NetWare 5 allows you to define which 
rights should be inherited by subordinate 
objects. You can do the following: 


¢ Define whether object rights granted 


at the container level can be inherited. 
As a result, you can block inheritance 


34 NetWare Connection December 1998 


without creating an Inherited Rights 
Filter for each object that resides in a 
particular container object. 

¢ Allow specific properties to be inher- 
ited. As a result, you can grant certain 
users the rights to manage attributes of 
objects such as passwords, addresses, 
and telephone numbers. 


To specify which rights are inherited, 
you use the new Inheritable right, which 
applies only to container objects. You can 
set the Inheritable right for object rights, 
all properties rights, or selected properties 
rights. (See Figure 1 on p. 33.) 

If you select the Inheritable right, the 
trustee assignment you make for a con- 
tainer object flows down to all of the 
objects below it. If you don’t select the 
Inheritable right, the trustee assignment 
you make applies only to the container 
object. Any subordinate objects do not 
inherit the rights you have specified. 

The Inheritable right is enabled by 
default for object rights and all proper- 
ties rights (as indicated by the check 
mark in Figure 1 on p. 33). The Inherit- 
able right is disabled by default for select- 
ed properties. These default settings pro- 
vide compatibility with NetWare 4. 

Since the release of NDS, customers 
have been asking Novell to provide an 
easy way to set up password administra- 
tors. Novell has provided this capability 
in NetWare 5 by allowing you to con- 
figure the inheritance of selected proper- 
ties. To make setting up password admin- 
istrators even easier, Novell has added a 


Password Management property to the 
NDS schema. 

To set up a password administrator, you 
grant a user the Supervisor right to the 
Password Management property. You can 
assign this right to a User, Group, or con- 
tainer object. If you assign this right to a 
container object, you should also assign 
the Inheritable right so that the trustee 
assignment is inherited by the objects that 
reside in the container object. 


CATALOG SERVICES 

Catalog services is another NetWare 5 
enhancement to NDS. Catalog services 
allows you to create flat file databases, 
called catalogs, of frequently accessed NDS 
objects. Catalogs provide faster access to 
information stored in the NDS database. 

Without catalog services, a client or 
an application must “walk” the NDS 
tree to find an object. With catalog ser- 
vices, the client or the application sim- 
ply searches the catalog for the object. 
Catalog services speeds up access to 
NDS objects, especially if the objects 
are located across a WAN link. 

Catalog services includes the following 
components: 


¢ DSCAT.NLM. This NetWare Loadable 
Module (NLM) contains the catalog 
dredger that searches the NDS database 
for the objects and properties to include 
in a catalog. When you install NetWare 
5 on aserver, DSCAT.NLM is installed 
and loaded automatically. 
DSCQRY16.DLL & DSCQRY32.DLL. 
These DLLs are the search engines that 
applications such as the NetWare Ad- 
ministrator (NWADMIN) utility use to 
query the NDS database. 
DSCATMGR.DLL. This DLL is a snap- 
in module for the NWADMIN utility. 
With this snap-in module, you you can 
use the NWADMIN utility to create, 
modify, query, index, and delete cata- 
log objects. 


Creating a Catalog 

You use the NWADMIN utility to 
create and manage catalogs. When you 
create a catalog, you specify the objects 
and properties that you want to include in 
the catalog. (See Figure 2). For example, 
you can create a catalog of your company’s 
employees and their telephone numbers. 

Sometimes applications create their 
own catalogs. For example when you in- 


stall Novell’s LDAP Services for NDS, 


you can have it create a catalog of NDS 
User objects to speed up Lightweight Di- 
rectory Access Protocol (LDAP) lookups. 

You can create two types of catalogs in 
NDS: master catalogs and slave catalogs. 
A master catalog is the original copy of a 
catalog. You must create at least one mas- 
ter catalog for each catalog. 

A slave catalog is a copy of the mas- 
ter catalog. You can create one or more 
slave catalogs for each catalog. When 
the master catalog receives information 
from the dredger, the master catalog auto- 
matically replicates that information to 
the slave catalogs. 

Using master catalogs and slave cata- 
logs provides two main benefits: 


¢ You can strategically place slave cata- 
logs close to users who use the catalogs. 
¢ The catalog dredger only has to search 
the NDS database from one location. 
Searching from one location frees 
up network bandwidth since dredging 
the NDS database is a bandwidth- 


intensive process. 


To create a catalog, you must have the 
following rights: 


¢ You must have the Supervisor file 
right to the Server object that will 
host the catalog. This server will run 
the DSCAT.NLM to build and update 
the catalog. 

¢ You must have the Write object right 
to the container object in which you 
will create the catalog. 

e You must have the Write property 
right to the Catalog List property of 
the Server object. 


Contextless Login 

Contextless login is an example of how 
catalog services can benefit your company. 
After creating a catalog of all User objects 
and their full names, you can enable the 
contextless login option on the NetWare 5 
client software’s Properties page. You must 
enable contextless login at each worksta- 
tion that you want to use contextless log- 
in. (Tip: You can use the policies feature of 
the Z.E.N.works Starter Pack to enable the 
contextless login option on multiple work- 
stations simultaneously.) 

After you enable the contextless login, 
a user can simply press the Tab key at the 
username prompt when logging in to the 
network. The user is then presented with a 
dialog box that contains usernames, and 


NOVELL CERTIFIED PROFESSIONAL 


NDS Enhancements 


Select your user and context from the list below. Click OK 


admin.Novell 
JMarymee.N¥¥Servers.Novell 
JMarymee.Users.Novell 
LMarymee.Users.Novell 
SMarymee.N¥¥Servers.Novell 
SStevens.Users.Novell 


Figure 3. NetWare 5 provides a contextless login, which allows users to log in to the 
network without knowing their NDS distinguished name. 


the user can simply choose the appropriate 
username. (See Figure 3.) 

You can also configure the NetWare 5 
client software to support wildcards. For 
example, if Bob wanted to see only the 
usernames that begin with the letter B, he 
could enter B* in the username field and 
press the Tab key. NDS would then return 
only those usernames that matched the 
wildcard criteria. 


WAN TRAFFIC MANAGER 

NetWare 5 also includes the WAN 
traffic manager, which is a policy-based 
service that can reduce your company’s 
communications costs. With the WAN 
traffic manager, you can control NDS 
traffic on your company’s network. 

Because NDS servers regularly synchro- 
nize the NDS database, this synchroniza- 
tion can sometimes be intensive. If you use 
dial-up Integrated Services Digital Net- 
work (ISDN) or analog circuits for server- 
to-server communications, every time the 
NDS servers synchronize, the phone line 
comes up, and the charges start. 

The WAN traffic manager lets you 
manage the cost of synchronizing NDS. 
Using the NWADMIN utility, you can 
control NDS communications based on 
the time, the type of traffic, the destina- 
tion of traffic, and other settings. You cre- 
ate WAN traffic policies, which are rules 
that control the generation of NDS traffic. 
NDS stores these WAN traffic policies as 
attributes of Server objects or LAN Area 
objects. (A LAN Area object allows you 
to manage policies for a group of servers.) 

When you load the WAN traffic man- 
ager (which is WANMAN.NLM), it 
reads the WAN traffic policies. When 
NetWare servers need to communicate, 
NDS calls the WAN traffic manager. The 
WAN traffic manager then analyzes its 


policies and controls server-to-server 
communication based on those policies. 
You must load the WAN traffic man- 
ager on each server whose traffic you want 
to control. If a partition’s replica ring in- 
cludes servers on both sides of a WAN 
link, you should install the WAN traffic 
manager on all servers in that replica ring. 
Although Novell designed the WAN traf- 
fic manager to control traffic across WAN 
links, you can use it to control NDS traffic 
between any servers in the NDS tree. 


CONCLUSION 

NetWare 5 provides many enhance- 
ments to NDS: Because NDS now sup- 
ports both IP and IPX as core communica- 
tions protocols, you can choose the proto- 
col that best fits your company’s environ- 
ment. NDS in NetWare 5 also delivers 
better performance than previous versions 
of NDS due to changes in synchronization 
algorithms and new NDS caching. 

In addition, NetWare 5 makes NDS 
security more flexible by letting you de- 
cide which trustee assignments subordi- 
nate objects should inherit. As a result, 
you can set up users who can manage only 
certain attributes such as passwords. 

Catalog services allows you to create 
catalogs that make it easier and faster to 
find NDS information. Catalog services 
also provides the contextless login, which 
allows users to log in without knowing 
their full NDS distinguished name. 

Finally, with the new WAN traffic 
manager, you can control and manage 
NDS synchronization traffic, reducing the 
costs of your company’s WAN. 

Sandy Stevens is a freelance writer based 
in Salt Lake City. She is coauthor of Novell’s 
Guide to Integrating intraNetWare and 
NT, Novell’s Guide to BorderManager, and 
Novell’s Guide to NetWare Printing. @ 
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Leslie Miller 


Relaunching CNE Net 


The Web Site for Novell Certified Professionals 


Wi more than 150,000 Master CNEs and CNEs throughout 
the world, Novell needs a way to support the growing num- 
bers of Novell certified professionals. To provide this support, 
Novell recently redesigned and relaunched CNE Net to be the 
premier worldwide virtual community for Novell certified pro- 
fessionals. CNE Net offers ongoing technical training, access to 
Novell tools, and other solutions to help Novell certified profes- 
sionals do their job better and more efficiently. CNE Net is a 
password-protected web site for Master CNEs, CNEs, and Cer- 
tified Novell Administrators (CNAs), although some areas are 
available only to Master CNEs and CNEs. 


INFORMATION FOR NOVELL CERTIFIED PROFESSIONALS 

In redesigning CNE Net, Novell enlisted the help of CNEs 
so that the information provided on CNE Net would be bene- 
ficial to Novell certified professionals. CNEs worldwide parti- 
cipated in surveys, focus groups, and hands-on testing to ensure 
that the web site would meet their needs. CNE Net has more 
than 200 hypertext links to useful topics including the following: 


© Certification resources 

¢ Computer-based training (CBT) modules 

e NetWare technical online chats and presentations 
e Advanced technical training 

¢ New forums 


Certification Resources 
Novell uses CNE Net to communicate certification informa- 
tion to Master CNEs, CNEs, and CNAs. By accessing CNE Net, 
these Novell certified professionals can learn how to maintain or 
aie ; 
upgrade their certification. They can also check out Novell’s new 
course offerings and access the latest news about Novell. 


CBT Modules 

Master CNEs and CNEs can download up to seven CBT mod- 
ules for free. CNE Net provides two types of CBT modules: tech- 
nical CBT modules and developer CBT modules. Technical CBT 
modules guide CNEs step-by-step through specific Novell prod- 
ucts. CNEs can use these modules to refresh their skills, research 
new technical solutions, or try out new products. 

Developer CBT modules are available in several categories 
such as software development, database and networking, and 
the Internet. These modules help developers create products 
that work with Novell’s products. 
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NetWare Technical Conferences 

Novell plans to offer live NetWare technical chats and pre- 
sentations through CNE Net. Available to Master CNEs and 
CNEs, these conferences will address topics such as basic and 
advanced network management, groupware management, Inter- 
net connectivity, and web design. Novell certified professionals 
should visit CNE Net to find out more about these conferences. 


Advanced Technical Training 

Novell’s advanced technical training is designed to help all 
Novell certified professionals fine tune their company’s network. 
Through CNE Net, Novell certified professionals can access tools 
to help them increase their networking knowledge. For example, 
CNE Net provides the following: 


¢ The NetWare 5 Technical Toolkit, which contains all of the 
NetWare 5 boot camp training materials 

¢ A single source for Novell technical papers and the most cur- 
rent software downloads 

© Free Novell Education tryout quizzes 


New Forums 

CNE Net provides a “virtual community” for Master CNEs 
and CNEs: CNE Net has new forums that allow Master CNEs 
and CNEs to communicate online. They can trade tips and 
tricks, ask questions about the networking challenges they 
face, or share success stories. 


HOW TO ACCESS CNE NET 

Novell certified professionals can access CNE Net at http:// 
www.novell.com/cnenet. To log in, they need their CNE num- 
ber or their Novell Education Testing ID number and their 
certification PIN. For more information about CNE Net, 


Novell certified professionals can call Novell Education at 
1-801-222-7800 or 1-800-233-3382. 


CLUBINTERNET IN EUROPE 

CNEs who live in the United Kingdom, Ireland, or northern 
Europe can also access Novell’s ClubInternet, a virtual communi- 
ty for CNEs. (These CNEs can access CNE Net from the Club- 
Internet web site.) CNEs who live in other European countries, 
the middle East, or Africa will soon be able to join ClubInternet. 
CNEs can find ClubInternet at http://clubinternet.novell.com, or 
they can click a hypertext link from the CNE Net web site. @ 


Novell-Certified Servers 


Kimberly Jones 


As a network administrator, you know that reliable servers are critical to a properly 
functioning network. So why risk your company’s network by using a server that has not 
been certified to work with NetWare or that is not year-2000 ready? 

This article discusses a few of the servers that have earned certification through Novell’s 
Yes, Tested and Approved program. The good news is, these servers have been certified to 
work with NetWare 5—as well as with earlier versions of NetWare—and are year-2000 
ready. (See “Getting Ready for the Year 2000” on p. 38.) The even better news is these 
servers are just the tip of the iceberg: You can find a complete list of Novell Yes, Tested and 
Approved servers on Novell's DeveloperNet World-Wide Web site (http://developer.novell. 
comfinfosys/mastr_O1 .htm). You can also read Yes bulletins for each server if you want 
detailed information about test configurations and test results. 


COMPAQ SERVERS 

Compaq Computer Corp. has so 
many Novell Yes, Tested and Approved 
servers that we cannot possibly list all 
of them. However, we can give you some 
idea of the types of Compaq servers that 
have been certified as Novell Yes, Tested 
and Approved. Because you have such a 
wide range of Compaq servers to choose 
from, you can find the server that is just 
right for your company’s network, wheth- 
er this network is large or small. 

Compaq divides its servers into three 
categories: workgroup servers, depart- 
mental servers, and enterprise servers. 
The following list describes one Novell 
Yes, Tested and Approved server in each 
of these categories: 


e ProLiant 1600 Series. The ProLiant 
1600 series supports up to two Pentium 
11/266 MHz or Pentium II/300 MHz 
processors, up to 512 MB of RAM, 
and up to 54.6 GB of internal storage. 
In addition, the ProLiant 1600 series 
includes six expansion slots and three 
drive bays. (Novell has certified the 
ProLiant 1600 series for use with 
NetWare 5, NetWare 4.11, NetWare 
3.12, NetWare SFT III, and NetWare 
4.11 for Small Business.) 

© ProLiant 3000 Series. The ProLiant 
3000 series supports up to two Pentium 


11/300 MHz or Pentium II/333 MHz 
processors, up to 512 MB of RAM for 
the 300 MHz model or up to 1 GB of 
RAM for the 333 MHz model, and up 
to 109.2 GB of internal storage. In ad- 
dition, the ProLiant 3000 series in- 
cludes eight expansion slots, a hot-plug 
power supply, and an integrated man- 
agement display. (Novell has certified 
the ProLiant 3000 series for use with 
NetWare 5, NetWare 4.11, and Bor- 
derManager 2.1.) 

e ProLiant 6000 Series. The ProLiant 
6000 series supports up to four Pen- 
tium II Xeon/400 MHz processors, 
up to 8 GB of RAM, and up to 218.4 
GB of internal storage. In addition, 
the ProLiant 6000 series includes 10 
expansion slots, redundant processor 
power modules, and an integrated 
remote console. (Novell has certified 
the ProLiant 6000 series for use with 
NetWare 5, NetWare 4.11, NetWare 
4.11 SMP, and BorderManager 2.1.) 


For more information about Com- 
paq servers, visit Compaq’s World-Wide 
Web site (http://www.compaq.com/ 
products/servers). You can also call 
1-800-888-9909 in the United States 
and Canada. Outside of the United 
States and Canada, contact your local 
Compaq sales office. (You can search 


PRODUCT | 


for the Compaq sales office nearest you 
on Compaq’s web site at http://www. 
compaq.com/corporate/overview/world_ 


offices.html) 


DELL SERVERS 

You probably think of Dell Com- 
puter Corp. as an excellent source for 
desktop computers, but did you know 
that servers are becoming an increas- 
ingly important part of Dell’s business? 
Mike Lambert, vice president at Dell, 
attributes this success to Dell’s direct 
sales model, which enables Dell to build 
every product to order—including ser- 
vers. (See “Talking to Dell Computer’s 
Mike Lambert,” NetWare Connection, 
June 1998, pp. 28-29. You can down- 
load this article from http://www. 
nwconnection.com/jun.98/dell68.) No 
matter what your company’s needs are, 
Dell can build a server to meet your 
company’s unique specifications. 

The PowerEdge 6300 rack-mountable 
server supports up to four Pentium II 
Xeon/400 MHz processors, up to 4 GB 
of RAM, and up to 126 GB of internal 
storage. The PowerEdge 6300 also offers 
features such as a Redundant Array of 
Independent Disks (RAID) system and 
redundant, hot-swapable cooling fans 
and power supplies. In addition, Power- 
Edge 6300 includes OpenManage, Dell’s 
server management software, which you 
can use to monitor and control server 
operations. (Novell has certified the 
Power Edge 6300 for use with NetWare 
5, NetWare 3.2, NetWare SFT III, and 
BorderManager 2.1.) 

For more information about Dell 
servers, visit Dell’s web site (http:// 
www.dell.com/products/poweredge). 
You can also call 1-800-WWW-DELL, 
or you can contact your local Dell sales 
office. (You can find a list of Dell sales 
offices at http://www.dell.com/global/ 
gep/countrie.htm.) 


GATEWAY SERVERS 

Like Dell Computer Corp., Gate- 
way Inc. is known primarily for its 
desktop computers. However, Gate- 
way has begun making inroads into 
the server market. 
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In many cases, you don’t have to throw out existing servers 
that are not year-2000 ready, even if the server hardware i is the 
problem. You can often fix the problem by manually resetting 
the server's system clock or by upgrading the server's BIOS. 
However, replacing the server may be your only alternative. 

If these solutions fail, you should consider purchasing one 
of the servers mentioned in this article. These servers not only 


Getting Ready for the Year 2000 


Purchasing a new server may be more than simply a matter 
of finding the fastest processor and the largest hard drive: In 
fact, it may be a matter of life and death for your company’s 
network. The year 2000 is looming on the networking hori- 
zon, and some of your company’s servers may not be year- 


2000 ready. work with NetWare 5 and with earlier versions of NetWare but 
Because the year 2000 is only one year away, there is no are also year-2000 ready. | 
time to waste. You must test all of the servers on your com- For more information about how various companies have 


prepared their servers for the year 2000, visit the following 
World-Wide Web sites: 


pany’s network to ensure that they are year-2000 ready. Then 
you must take steps to solve the problems on the servers that 
are not year-2000 ready. (To find out how you can isolate and 
eradicate the year-2000 problem on your company’s network, 
see “Exterminating the Millennium Bug Before It Wreaks Hav- 
oc on Your Company’s Network,” NetWare Connection, June 
1998, pp. 8-20. You can download this article from http:// 
www.nwconnection.com/jun.98/yr200068.) 


* Compaq Computer Corp. (http://www.compaq.com/year2000) 
* Dell Computer Corp. (http://www.dell.com/year2000) 

¢ Gateway Inc. (http:/Awww.gateway.com/home/y2k/y2k) 

° Hewlett-Packard Co. (http://www.hp.com/year2000) 

¢ IBM Corp. (http://www.ibm.com/IBM/year2000) @ 


in the NetServer line are among those 
that have received Novell Yes, Tested 
and Approved certification: 


14 drive bays in a tower configuration 
or eight expansion slots and 10 drive 
bays in a rack-mount configuration. 
The ALR series also provides active 


The following Gateway servers have 
earned Yes, Tested and Approved certi- 
fication from Novell: 


ALR 7000 Series. The ALR 7000 
series supports up to two Pentium 
11/350 MHz or Pentium 11/400 MHz 
processors, up to 1 GB of RAM, and 
up to 54 GB of internal storage. The 
ALR 7000 series also includes seven 


expansion slots and seven drive bays. 


(Novell has certified the ALR 7000 
series for use with NetWare 5, Net- 
Ware 4.11, NetWare 3.12, NetWare 
SFT II, NetWare 4.11 SMP, and 
BorderManager 2.1.) 

ALR 8000 Series. The ALR 8000 
series supports up to two Pentium II/ 
350 or 400 MHz processors, up to 1 
GB of RAM, and up to 262 GB of 
internal storage. In addition, the ALR 
8000 series includes eight expansion 
slots, 13 drive bays, and a hot-plug 
power supply subsystem. (Novell 
has certified the ALR 8000 server 
for use with NetWare 5, NetWare 
4.11, NetWare 3.12, NetWare SFT 
IH, NetWare 4.11 SMP, and Bor- 
derManager 2.1. Novell has certified 
the ALR 8200 server for use with 
NetWare 5, NetWare 4.11, NetWare 
3.2, NetWare SFT III, NetWare 4.11 
SMP, and BorderManager 2.1.) 
ALR 9000 Series. The ALR 9000 
series supports up to six Pentium Pro/ 
200 MHz processors, up to 4 GB of 
RAM, and up to 558 GB of internal 
storage. In addition, the ALR 9000 
series includes 12 expansion slots and 
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central processor recovery (CPR), 
which ensures a clean recovery of ser- 
ver operations in the event of a pro- 
cessor, cooling fan, or power supply 
failure. (Novell has certified the ALR 
9000 series for use with NetWare 5, 
NetWare 3.12, NetWare SFT III, and 
NetWare 4.11 SMP.) 


For more information about Gateway 
servers, visit Gateway’s web site (http:// 
www.gateway.com/corp/alrjump). You 
can also call 1-800-846-4208. Outside 
of the United States or Canada, you 
can contact your local Gateway sales 
office. (You can find a complete list 
of Gateway sales offices at http://Avww. 
gateway.com/corp/global.) 


HEWLETT-PACKARD SERVERS 

Hewlett-Packard Co. (HP) makes 
NetServer, a line of servers that has 
been used in networks of all sizes for 
years. However, HP does not depend 
only on real-world experience to prove 
that you can count on the NetServer 
line to deliver reliable network services. 
HP also participates in the Novell Yes, 
Tested and Approved program, sub- 
mitting the NetServer line for certi- 
fication each time a new version of 
NetWare ships. 

When Novell released NetWare 5, 
HP submitted its latest NetServer line 
for certification. The following servers 


e NetServer E 50 Series. The Net- 
Server E 50 series supports one Pen- 
tium [I/300 MHz or Pentium II/333 
MHz processor, up to 384 MB of 
RAM, and up to 36.4 GB of internal 
storage. In addition, the NetServer 
E 50 series includes six expansion 
slots and an integrated Wide Ultra- 
SCSI controller. Some models even 
include an integrated HP SureStore 
T4i tape backup system with up to 8 
GB of storage capacity. (Novell has 
certified the NetServer E 50 series 
for use with NetWare 5, NetWare 
4.11, NetWare 3.2, NetWare 4.11 
for Small Business, and Border- 
Manager 2.1.) 

NetServer LC 3 Series. The Net- 
Server LC 3 series supports up to 
two Pentium II processors with 350 
MHz, 400 MHz, or 450 MHz. The 
NetServer LC 3 series also supports 
up to 1 GB of RAM and up to 63.7 
GB of internal storage. In addition, 
the NetServer LC 3 series includes 
six expansion slots and an integrated 
Wide UltraSCSI controller. Some 
models even include an HP NetRAID 
system. (Novell has certified the 
NetServer LC 3 series for use with 
NetWare 5, NetWare 4.11, NetWare 
3.2, NetWare 4.11 SMP, and Border- 
Manager 2.1.) 


e NetServer LH 3 Series. The Net- 


Server LH 3 series supports up to 


two Pentium II processors with 350 
MHz, 400 MHz, or 450 MHz and a 
100 MHz bus. The NetServer LH 3 
also supports up to 1 GB of RAM 
and up to 144 GB of internal stor- 
age. In addition, the NetServer 

LH 3 includes eight expansion 
slots, two integrated Ultra-2 
SCSI controllers, and an 
integrated dual-channel 
HP NetRAID controller. 
The NetServer LH 3 
series also includes an 
automated tape back- 

up system with up to 

24 GB of storage. 
(Novell has certified 

the NetServer LH 3 
series for use with 
NetWare 5, NetWare 
4.11, NetWare 4.11 
SMP, and Border- 
Manager 2.1.) 


For more information about HP ser- 
vers, visit HP’s web site (http://www.hp. 
com/netserver). You can also call 1-800- 
637-7740, or you can contact your local 
HP sales office. (You can find a com- 
plete list of HP sales offices at http:// 
www.hp.com/ahp/SalesOffices.html.) 


IBM SERVERS 

Perhaps more than any other com- 
pany, IBM Corp. is known for making 
workhorse servers that can stand up 
to a punishing amount of network 
traffic. So it should come as no surprise 
that the list of IBM servers that have 
been certified by Novell as Yes, Tested 
and Approved is too long to include in 
this article. 

The following servers—one for a 
small- or medium-sized business, one for 
a workgroup or department, and one for 
an enterprise—are just a few examples 
of the many Novell Yes, Tested and Ap- 
proved servers from IBM: 


© NetFinity 3000 Series. The Net- 
Finity 3000 series supports one Pen- 
tium II processor, which can be 300 
MHz, 350 MHz, 400 MHz, or 450 
MHz. The NetFinity 3000 Series 
also supports up to 384 MB of RAM. 
(Novell has certified the NetFinity 
3000 series for use with NetWare 5, 
NetWare 3.2, NetWare SFT III, 
NetWare 4.11 for Small Business, 
and BorderManager 2.1.) 


IBM’s NetFinity 7000 


¢ NetFinity 5500 M10 Series. The 
NetFinity 5500 M10 series supports 
up to two Pentium II Xeon/400 MHz 
processors, up to 2,048 MB of RAM 
and up to 182 GB of storage. You 
can purchase a NetFinity 5500 M10 
server in a rack-mount configuration 
or in a tower configuration. (Novell 
has certified the NetFin- 
ity 5500 M10 series for 
use with NetWare 5, 
NetWare 4.11, Net- 
Ware 3.2, NetWare 
SFT III, and NetWare 
4.11 SMP.) 

e NetFinity 7000 
Series. The NetFinity 
7000 series supports up 
to four Pentium Pro/ 

200 MHz processors, up 

to 4,096 MB of RAM, 
and up to 564 GB of 
internal storage. In ad- 
dition, you can purchase a NetFinity 
7000 server in a rack-mount config- 
uration or in a tower configuration. 


(Novell has certified the NetFinity 
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7000 series for use with NetWare 
5, NetWare 3.2, NetWare SFT III, 
NetWare 4.11 SMP, NetWare 4.11 
for Small Business, and Border- 
Manager 2.1.) 


For more information about IBM ser- 
vers, visit IBM’s web site (http://www. 
ibm.com/Servers). You can also call 
1-888-411-1 WEB, or you can contact 
your local IBM sales office. (You can 
find a list of IBM sales offices at http:// 
www.ibm.com/Contact.) 


CONCLUSION 

If you need to purchase a new server 
for your company’s network, you don’t 
need to take chances: You can ensure 
that the server you choose has been 
certified as Novell Yes, Tested and Ap- 
proved. That way, you will know that 
you are using the best combination of a 
reliable server and a rock-solid network 
Operating system. 

Kimberly Jones is a freelance writer and 
editor based in Chicago. She was previously a 
full-time editor for NetWare Connection. @ 


Winpop Plus 


Instant messaging for NetWare networks 


INSTANT MESSAGING, 
GROUP CHAT 
AND REMOTE CONTROL! 


The award winning solution for businesses and organizations looking to 
deliver popup messages instantaneously to the desktop. Winpop Plus is 
the only solution delivering instant messages with zero administration. By 
fully leveraging the directory of your existing network, Winpop Plus, can 
communicate without maintaining a proprietary user list. 


With support for Windows 95 and Windows NT on NetWare 3.x, 4.x and 
IntranetWare, Windows NT Domains, and Windows peer networks over 
IPX/SPX or TCP/IP, Winpop Plus offers a complete solution for 
organizations looking for a flexible instant communications solution. 


Download a full evaluation today! 


Call WiredRed 619 530 1447 or visit our web site 
http://www.wiredred.com 


For more information, visit http://advertise.nwconnection.com. 


Technically # 


$ Speaking 


NetWare 5 Client Software 
for Windows 95 and 98 


Mickey Applebaum 


Editor’s Note: Technically Speaking answers your technical 
questions, focusing on network management issues. To submit a 
question for a future column, please send an e-mail message to 
nwe-editors@nwconnection.com, or send a fax to 1-801-228-4576. 


hen Novell released NetWare 5, it also released new client 

software to support the new features in NetWare 5. You can 
download the latest versions of this client software, Novell Cli- 
ent 3.01 for Windows 95/98 and Novell Client 4.5 for Windows 
NT, free from Novell’s World-Wide Web site 
(hetp://www.novell.com/download). 
This article describes the features that have been added to 
Novell Client 3.01 for Windows 95/98. This article also explores 
the client software’s installation options and explains why you 
might want to use each option. (A future article will focus on 
Novell Client 4.5 for Windows NT. For information about a 
Macintosh client for NetWare 5, visit the NetWare Connection 
web site at http:/Avww.nwconnection.com.) 


EMBRACING TCP/IP 

Like NetWare 5, Novell Client 3.01 for Windows 95/98 in- 
cludes native support for TCP/IP, thus enabling clients to esta- 
blish a connection to a NetWare 5 server via the TCP/IP pro- 
tocol stack that comes with Windows 95/98. With NetWare 5 
and Novell Client 3.01 for Windows 95/98, you can set up a 
NetWare 5 network that uses only TCP/IP and the Ethernet_Il 
frame type. This capability provides direct Internet connectivity 
for both clients and servers. 

With previous versions of NetWare and Novell’s client soft- 
ware, you can connect clients and servers through TCP/IP only 
by using NetWare/IP, Novell’s TCP/IP protocol stack. In this 
case, servers must run special services to support TCP/IP, includ- 
ing the following: 


¢ Domain Naming System (DNS), which provides name resolution 

¢ Domain SAP/RIP Server (DSS), which eliminates the need 
for the server to encapsulate Routing Information Protocol 
(RIP) and Service Advertising Protocol (SAP) information 
in TCP/IP 

¢ Network Information System (NIS), which provides internal 
IPX-to-IP name resolution 


In addition, clients must perform a tunneling-type function 


that sends IPX-based NetWare Core Protocol (NCP) requests 
through the network via TCP/IP. 
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These additional services can hinder performance and can 
occasionally cause interoperability problems with some applica- 
tions. However, you can improve performance and reduce inter- 
operability problems by installing NetWare 5 and Novell Client 
3.01 for Windows 95/98 and by running only TCP/IP on your 
company’s network. 

If you have an IPX-only environment, you should be aware 
of one possible drawback: Novell Client 3.01 for Windows 95/98 
does not support Novell’s IPX/IP gateway. 


THE Z.E.N.WORKS STARTER PACK 

Novell Client 3.01 for Windows 95/98 includes Novell’s Zero 
Effort Networks (Z.E.N.works) Starter Pack. Although primarily 
a management tool for network administrators, Z.E.N.works also 
allows users to perform some management tasks. (Novell provides 
two versions of Novell Client 3.01 for Windows 95/98: one that 
includes only the client software and one that includes both the 
client software and the Z.E.N.works Starter Pack. If you want to 
take advantage of the Z.E.N.works Starter Pack, you must ensure 
that you download the appropriate version.) 

When you install Novell Client 3.01 for Windows 95/98 with 
the Z.E.N.works Starter Pack on users’ workstations, a red icon 
shaped like the letter “N” appears in the system tray on users’ 
desktops. If users click this icon, they can perform the following 
management tasks: 


© Browse Network Neighborhood. 

¢ Run Novell’s NetWare Login utility. 

¢ Check the status of their network connections. 

¢ Map a network drive by using the Map Root, Map Search, 
or Reconnect the Mapping at Logon features. 

¢ Disconnect a mapped network drive. 

© Capture a printer port by using Novell’s Capture Printer Port 
feature, which includes an option to reconnect at login. Al- 
though this feature uses the default capture settings defined in 
Novell Client 3.01 for Windows 95/98, you can modify these 
settings by clicking the Settings button. 

¢ Disconnect a captured printer port. 

© Send a message to any user who is logged in to the network. 

¢ Manage their user account on the Novell Directory Services 
(NDS) tree or bindery that is stored on any attached server. 
Among other things, users can view and edit their user ac- 
count information, view and edit their user login script, view 
their login information (such as login time restrictions), view 
their password information (such as password restrictions), 


change their password, and view their 
group membership. 

¢ View or modify the client software’s 
properties. For example, users can set a 
default context and capture options. 


Another Z.E.N.works icon also appears 
in the system tray on users’ desktops. (This 
icon resembles a desktop blotter pad.) If 
users click this icon, they can perform the 
following management tasks: 


¢ Schedule an application to run on 
their workstation, and configure sched- 
uling options. 
¢ Register their workstation and its ser- 
vices with NDS. This capability is useful 
if a user is logged in to multiple trees at 
one time. For example, suppose a user’s 
primary connection were NDS tree A 
and the user logged out from this tree. 
The user could then register with NDS 
tree B, and NDS tree B would become 
the user’s primary connection. 
Display information about the NDS 
tree to which the user’s workstation has 
established a primary connection. For 
example, users can see the name of 


their NDS tree and NDS context. 


If you like the features offered in the 
Z.E.N.works Starter Pack, you might want 
to purchase the complete Z.E.N.works 
product, which offers additional manage- 
ment capabilities. For example, the com- 
plete Z.E.N.works product allows you to 
control workstations remotely, support 
roaming users, conduct a hardware 
inventory of workstations, and create 
help-desk request policies. (For more 
information about Z.E.N.works, visit 
Novell’s web site at http://www.novell. 
com/products/nds/zenworks. You should 
also read “NDS and Z.E.N.works: Creat- 
ing Transparent, Easily Managed Net- 
works,” NetWare Connection, Oct. 1998, 
pp. 24-33. You can download this article 
from http://www.nwconnection.com/ 


oct.98/zen08.) 


INSTALLATION OPTIONS 

To install Novell Client 3.01 for Win- 
dows 95/98, you run the SETUP utility, 
which has two installation options: Typi- 
cal and Custom. In almost all cases, you 
should select the Custom installation op- 
tion. This option allows you to explicitly 
assign the protocols and frame types you 
want to use to connect to your server. You 
can also select the specific workstation 
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services you want to load and run. This 
article assumes that you are using the 
Custom installation option. 

Note. As you install the client soft- 
ware, you should know Novell recom- 
mends that if you currently use 32-bit 
Network Driver-Interface Specification 
(NDIS) drivers for your network interface 
board, you should continue using these 
drivers with Novell Client 3.01 for Win- 
dows 95/98—trather than installing the 
32-bit Open Data-Link Interface (ODI) 
drivers that may come with this client 
software. Using 32-bit NDIS drivers helps 
you maintain full compatibility with Mi- 
crosoft’s TCP/IP protocol stack. 

After you select the Custom installa- 
tion option, you are prompted to select 
one of the following protocol options: 


¢ IP Only. You should select the IP Only 
option if the client resides on a network 
segment that includes only NetWare 5 
servers running over TCP/IP. You should 
also select this option if you want to pre- 
vent TCP/IP-based clients and servers 
from being seen by IPX-based NDS trees 
and servers. (If you select the IP Only 
option, you can specify whether or not 
you want the SETUP utility to remove 
IPX from the client.) 

IP With IPX Compatibility. You 
should select the IP With IPX Com- 
patibility option if the client resides 

on a network segment that includes 
both servers running NetWare 5 over 
TCP/IP and servers running NetWare 
over IPX. If you select this option, the 
SETUP utility provides an IPX re- 
sponder that tunnels through TCP/IP, 
essentially performing the reverse 
function of NetWare/IP. 

The IP With IPX Compatibility 
option allows TCP/IP-based clients 
to connect to a NetWare 5 server via 
TCP/IP. If these clients then need to 
connect to IPX-based devices or ser- 
vices, such as a NetWare server run- 
ning IPX, the NetWare 5 server acts 
as a router between the TCP/IP-based 
clients and the IPX-based devices and 
services. (If you want a NetWare 5 ser- 
ver to act as a router in this way, you 
must bind both TCP/IP and IPX to the 
server’s network interface board.) 

For example, you could use this ca- 
pability if your company had a multi- 
site network. Suppose one site were 
running TCP/IP on the local LAN seg- 
ment hosted by a NetWare 5 server, 


while the other sites were running IPX 

on LAN segments hosted by NetWare 

4 servers. If all clients needed to access 

both the NetWare 5 server and the 

NetWare 4 servers, you could bind | 
TCP/IP to the LAN network interface | 
board in the NetWare 5 server and IPX | 
to the WAN network interface board 

in this server. Clients could then see 

both TCP/IP- and IPX-based devices 

and services without requiring you to 

run IPX on the local LAN segment. 

IP and IPX. You should select the IP 

and IPX option if the client resides on 

a network segment that includes both 

servers running NetWare 5 over TCP/IP 

and servers running NetWare over IPX. 

You should also select this option if you 

want clients and servers on the same 

network segment to connect via either 

TCP/IP or IPX. 

If you select the IP and IPX option, 
the SETUP utility installs two sets of 
client drivers: one for TCP/IP and one 
for IPX. In effect, the client is then 
operating as two separate clients. In a 
TCP/IP environment, the client can 
connect to NetWare 5 servers via 
TCP/IP; in an IPX environment, the 
client can connect to NetWare servers 
via IPX. 
© IPX. You should select the IPX option if 

the client resides on a network segment 
that does not include any NetWare 5 
servers or if this network segment is run- 
ning only IPX. 


After you select the protocol option 
you need, you are prompted to specify a 
primary connection type: NetWare 4/5 
NDS or NetWare 3.x Bindery. A list of 
service options then appears, and you are 
then prompted to select one or more ser- 
vice options. If you select a service option, 
the SETUP utility installs the service’s 
drivers and management files as it installs 
the client software. | 

Depending on the protocol option you | 
selected, the list of service options may in- 
clude any or all of the following: 


© Novell Workstation Manager. You 

should select the Novell Workstation 
Manager option if you want to manage 
the client’s user and desktop information 
through NDS. For example, this option 
allows you to use the NetWare Admin- 
istrator (NWADMIN) utility to manage 
desktop options, Windows policies, and 
Windows user profiles through NDS. 
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¢ Novell Distributed Print Services. You 
should select the Novell Distributed 
Print Services option if you want to en- 
able real-time communications between 
the client and NDPS-compliant net- 
work printers. (For more information 
about NDPS, see “NDPS: Good-bye, 
Queue World,” NetWare Connection, 
Oct. 1997, pp. 6-22. You can down- 
load this article from http://www. 
nwconnection.com/oct.97/ndpso7.) 
Novell NetWare/IP. You should select 
the Novell NetWare/IP option if your 
network includes servers running a 
previous version of NetWare with 
NetWare/IP. This option ensures that 
the client can log in to these servers. 
Novell SNMP Agent. You should se- 
lect the Novell SNMP Agent option if 
you want the SETUP utility to install 
an extendable Simple Network Man- 
agement Protocol (SNMP) agent on 
the client. You should install this agent 
if you are using a network management 
product that supports SNMP. 

Host Resources MIB. You should 
select the Host Resources MIB option 
if you want to allow network manage- 
ment consoles to query the client for 
inventory purposes. 

Network Management Responder. 
You should select the Network Man- 
agement Responder option if you want 
the SETUP utility to install the Net- 
work Management Responder (NMR), 
a transport mechanism that enables 
the client to send operating system, 
BIOS, and ODI information to net- 
work management consoles. 

Novell Target Service Agent. You 
should select the Novell Target Service 
Agent option if you want the SETUP 
utility to install a backup Target Service 
Agent (TSA), which enables backup 
products that are Storage Management 
Services (SMS) compliant to remotely 
back up the client’s hard drive. 

¢ Novell Remote Access Dialer. You 
should select the Novell Remote Access 
Dialer option if you want the SETUP 
utility to install an extendable dial- 

up networking program for NetWare 
that supports both NetWare/IP and 
NWCAP, Novell’s password authenti- 
cation protocol. 

Novell NDS Provider—ADSI. You 
should select the Novell NDS Pro- 
vider—ADSI option if you want the 
SETUP utility to install a transport 
mechanism that enables the client 


42 NetWare Connection December 1998 


Technically a Bes Speaking 


to send NDS information to applica- 
tions that are Active Directory Ser- 
vices Interface (ADSI) compliant. For 
example, you would use this option if 
you were running an application that 
used Novell’s License Server. This op- 
tion allows the application to commu- 
nicate directly with NDS to find out 
how many licenses are available, how 
many licenses are in use, and whether 
or not the user is allowed access to 
the application. 


After you select the service options you 
need, you click the Install button to begin 
the installation process. During the instal- 
lation process, you are prompted to specify 
whether you want to define the client's 
properties. You should select the Yes op- 
tion. The Client32 Properties page, which 
includes the following tabs, then appears: 


© Client. The Client tab allows you to 
define the preferred NDS tree, NDS 
context, and server, as well as the first 
network drive to be mapped. This tab 
also displays the client’s major and 
minor version information. For exam- 
ple, the current client is version 3.01: 
The major version is 3, and the minor 
version is Ol. 
¢ Location Profiles. The Location Profiles 
tab allows you to capture the user’s login 
properties and to store this information 
ina file on the network. When a user 
logs in to the network, information such 
as the preferred NDS context and server 
is provided by the file rather than by the 
client properties stored on the worksta- 
tion. As a result, the user can log in to 
any workstation on the network and get 
his or her specific login properties. 
Advanced Login. The Advanced Login 
tab allows you to set a default, or ex- 
plicit policy support, option. This tab 
allows you to customize the look of the 
login screen by adding one or more of 
the following buttons, which the user 
can click during the login process to 
perform various management tasks: 


© Location List. The user can click the 
Location List button to view the lo- 
cation profiles you have created. 

¢ Clear Connections. The user can 
click the Clear Connections button 
to select or deselect the option. If 
the user selects this option, the client 
software clears the current network 
connection during the login process. 


e Advanced. The user can click the 
Advanced button to view or edit the 
preferred NDS tree, NDS context, or 
server. The user can also click the Ad- 
vanced button to enable or disable 
login script processing. 

e Variables. The user can click the 
Variables button to change login 
command variables. 

¢ Contextless Login. The Contextless 

Login tab allows you to configure a 

contextless login, which enables the 

user to log in to the network without 
entering his or her NDS context. (For 
more information about contextless 

login, see the related article on p. 32.) 

Advanced Settings. The Advanced 

Settings tab allows you to select client 

functionality options, such as wheth- 

er or not the client software should 
cache the NetWare password locally. 

Protocol Preference. The Protocol 

Preference tab allows you to specify 

the protocol order—in other words, 

the client’s primary and secondary 
connection options. Novell recom- 
mends that you specify a protocol 
order even if the client is using only 
one protocol. 

¢ Default Capture. The Default Cap- 
ture tab allows you to select the cap- 
ture options you want the user to use 
as a default when he or she executes 
Novell’s CAPTURE command from 
the NetWare Services menu. For ex- 
ample, you can set the Timeout op- 
tion or specify whether or not the 
user should use a banner. 


After you define the client’s properties, 
the installation process continues until 
all of the client files are installed on the 
workstation. You must then reboot the 
workstation to use Novell Client 3.01 for 
Windows 95/98. 


CONCLUSION 

Although Novell Client 3.01 for Win- 
dows 95/98 is the latest version of Novell’s 
client software as we go to press, you 
should check to see if Novell has released 
a newer version before you install the cli- 
ent software. You can find the most up- 
to-date information about Novell’s client 
software on Novell’s web site (http:// 
www.novell.com/download). 

Mickey Applebaum has worked with 
NetWare for more than 14 years. Mickey 
provides technical support on the Internet for 
The Forums (http://theforums.com). @ 
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NDS Integration for PeopleSoft 


Novell recently released Novell Directory Services (NDS) 
Integration for PeopleSoft. PeopleSoft is a suite of business 
management software solutions from PeopleSoft Inc. With 
NDS Integration for PeopleSoft, you can easily add an em- 
ployee to, or remove an employee from, your company’s Peo- 
pleSoft database. When a user is added to the PeopleSoft sys- 
tem, NDS Integration for PeopleSoft automatically creates 
an NDS user account for that individual, giving him or her 
immediate access to public network resources such as appli- 
cations, printers, and servers. 

NDS Integration for PeopleSoft also enables employees to 
easily and securely maintain their own records in NDS. For ex- 
ample, employees can enter changes to their personal records in 
PeopleSoft, such as home address or phone number changes, 
and the information will synchronize with NDS (or vice versa). 
Because changes to personal records are automatically recorded 
in both NDS and the PeopleSoft database, you no longer have 
to manually synchronize user data across two databases. 

You can purchase NDS Integration for PeopleSoft from 
Novell Consulting Services. NDS Integration for PeopleSoft 
must be installed by a Novell consultant. For more information 
about NDS Integration for PeopleSoft, visit Novell’s World- 
Wide Web site (http://consulting-novell.com), or call Novell 
Consulting Services at 1-800-453-1267 ext. 13467 or 1-801- 
861-3467. For more information about PeopleSoft applica- 
tions, visit PeopleSoft’s web site (http://www.peoplesoft.com). 
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Novell recently announced an agreement with Oracle Corp. 
to provide support for Oracle8i, Oracle’s database for the Inter- 
net. This combination of NetWare and Oracle8i technology will 
allow users to consolidate applications, files, and database infor- 
mation onto a central server and then access these tools and in- 
formation over the Internet. 

Oracle8i’s Internet development and deployment platform 
allows users to create robust, scalable Internet and intranet 
applications quickly and easily. When combined with NDS, 
Oracle8i will provide even more network management capa- 
bilities and data security features. In addition, the Oracle8i/ 
NDS combination will enable single sign-on to both the Novell 
network and any Oracle-based Internet applications available 
on the network. Novell plans to make Oracle8i available with 
future versions of NetWare. 


Novell SOL Integrator for NetWare 4 
and NetWare 5 


Novell recently released the open beta version of Novell 
SQL Integrator for NetWare 4 and NetWare 5, a database man- 
agement solution. With Novell SQL Integrator for NetWare 4 
and NetWare 5, you can access data that is stored in multiple 


databases across a network, an intra-net, or the Internet. Novell 
SQL Integrator for NetWare 4 and NetWare 5 supports thous- 
ands of databases that are based on the SQL, Open Database 
Connectivity (ODBC), or Java Database Connectivity (JDBC) 
standards. For example, Novell SQL Integrator for NetWare 4 
and NetWare 5 supports Oracle8, SQL Server, Informix, and Sy- 
base. In addition to providing access to data, Novell SQL Inte- 
grator for NetWare 4 and NetWare 5 provides components that 
make it easier for developers to write database applications. 
For more information about Novell SQL Integrator for 
NetWare 4 and NetWare 5, visit Novell’s web site (http:// 
www.novell.com). You can download the open beta version of 
Novell SQL Integrator for NetWare 4 and NetWare 5 free from 
http://support.novell.com/beta/public. 
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Novell recently released Novell Replication Services (NRS) 
1.21, which allows you to replicate information across your 
company’s network or intranet. With NRS 1.21, you can dis- 
tribute information stored on one server to multiple servers in 
the NDS tree. NRS 1.21 then synchronizes this information 
whenever a change is made. As a result, users can access up- 
to-date information from a local server. 

Because NRS 1.21 is integrated with NDS, you can easily 
manage the entire replication and synchronization process us- 
ing NDS. NRS 1.21 allows you to establish up to 15 replica ser- 
vers for each master server, and you can place the NRS data- 
base on any volume on the network. NRS 1.21 also provides a 
server console screen which displays the operations that NRS 
1.21 is currently performing. In addition, NRS 1.21 includes a 
NetWare Administrator snap-in utility which allows you to 
view the synchronization status of all servers on the network. 

You can purchase NRS 1.21 from any Novell authorized re- 
seller. If you currently own an older version of NRS, you are 
eligible for a free upgrade to NRS 1.21. For more information, 
visit Novell’s web site (http://www.novell.com/nrs), or call 
1-888-321-4272 or 1-801-228-4272. 
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Novell and Bay Networks, a Nortel Networks company, 
recently announced an agreement to integrate Novell’s NDS 
with Bay Networks’ Optivity Policy Services suite. Integrating 
NDS with the Optivity Policy Services suite will enable you 
to define company policies based on user objects or other at- 
tributes defined in NDS and then apply these policies to each 
user object in the NDS tree, regardless of the user’s location or 
IP address. 

After defining the policies, you will be able to automatically 
allocate network resources based on your company’s policies. 
You will also be able to maintain user information, applica- 
tions, and equipment from a central location. The NDS and 
Optivity Policy Services suite will be released during the sec- 
ond quarter of 1999. @ 
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NUI 


NetWare. Users 
International 


Facing the Challenges of the Future 


A Message From the NUI, NA President 


Raymond H. Osburn 


A another year ends and we find ourselves one year closer 
to the next millennium, it is easy to become increasingly 
anxious about what the year 2000 will bring. After all, the new 
millennium could spell disaster for companies that have not 
made sure their computer systems are prepared for the change. 

Novell has ensured that the NetWare Users International, 
North America (NUI, NA) computer system will remain in- 
tact when the year 2000 arrives, but NUI, NA will face other 
challenges over the next several years. Despite the challenges, 
NUI, NA anticipates progress and growth. 


INCREASING NETWARE USER GROUP MEMBERSHIP 

One of the greatest challenges currently facing NUI, NA is 
increasing the enrollment in NetWare user groups. As the In- 
ternet has grown, people have found that it is easy to search 
the Internet for answers to their networking questions. With 
the click of a mouse, you can have immediate access to more 
networking-related information than you could possibly digest 
in a single sitting. 

Although searching the Internet is easy and convenient, 
it may not be the perfect solution to finding answers to net- 
working questions. The advantages of accessing information 
on the Internet cannot replace the value of interacting face-to- 
face with other people who meet the same challenges you do. 
NetWare user groups offer this kind of personal interaction. 

At NetWare user group meetings, networking professionals 
meet to discuss the day-to-day issues surrounding their com- 
panies’ networks. You can ask questions, suggest solutions, dis- 
cuss tips and tricks for getting the most out of a network, pre- 
view new networking products, and learn about ways to repair 
or revitalize a network. The information gained in a single hour 
at a NetWare user group meeting can be far more profitable— 
and enjoyable—than hours of surfing the Internet for answers. 
You can even do some networking of your own by meeting 
other networking professionals. 

In addition to holding regular meetings, many NetWare 
user groups offer special evening or Saturday workshops, hands- 
on labs, and study groups for members who are working to- 
ward CNE certification. By joining a NetWare user group, you 
can improve your skills and enjoy new opportunities in the net- 
working industry. You can also enroll in the NUI, NA National 
Membership program to receive additional benefits such as dis- 
counts on products and services. (For more information about 
these benefits, visit NUI’s World-Wide Web site at http:/Avww. 


novell.com/nui.) 
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IMPROVING EDUCATION 

Another challenge that NUI, NA faces is how to improve 
the quality and the availability of NetWare conferences. Dur- 
ing the past year, NUI, NA conducted 27 InterConnect ’98 
conferences in cities across the United States. The feedback 
on these conferences has been positive, especially for the pop- 
ular NetWare 5 First Class Training track, which featured 
hands-on NetWare 5 training. 

NUI, NA will continue to provide extensive training on 
issues surrounding NetWare 5, as well as other topics relevant 
to Novell networking professionals. NUI, NA and Novell are 
currently working together to provide opportunities for edu- 
cation in more cities than ever before. 


JOIN US! 

As membership in NetWare user groups grows over the next 
several years, NUI, NA will face challenges such as keeping pace 
with the needs of its members worldwide and maintaining a close 
connection to individual NetWare user groups. However, with 
these challenges will come exciting new opportunities as well. 

Visit your local NetWare user group and discover the bene- 
fits of membership for yourself. For more information about NUI, 
NA or to locate the NetWare user group nearest you, visit NUI’s 
web site (http://www.novell.com/nui), or call 1-800-228-4NUI 
or 1-801-228-4500. 

Raymond H. Osburn is the president of NUI, NA. You can 


reach him by sending an e-mail message to uvrosbur@ihc.com. @ 
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Sweet Charity 


Matthew Jones 


N ow that the holiday season has arrived, you are probably busy 
shopping for gifts, decorating your house, and visiting your 
friends and family. In the midst of this hustle and bustle, it’s easy 
to forget what one of the important purposes of the holidays is: 
helping others. You don’t have to take much time out of your 
holiday schedule to share your bounty with people in need. All 
you have to do is visit the World-Wide Web sites mentioned in 
this article to donate money to a worthy cause. 

And if old hardware and software are gathering dust in your 
home or office, you should check out this month’s network re- 
sources, which explain how you can donate computer equip- 
ment to various charitable organizations. You can then find a 
few gifts for yourself by checking out the games and new prod- 
ucts I have found. (See “Product Snapshots” on p. 48.) 


WORLD-WIDE WEB SITES 

The American Red Cross (http://www.redcross.org) is at the 
forefront of charitable organizations that help disaster victims. If 
you want to help people whose lives have been devastated by 
hurricanes, floods, or other national and international disasters, 
you should visit this web site. Using your credit card, you can 
make a donation to the American Red Cross online, and you 
can specify whether to allocate this donation to the Disaster 
Relief Fund, the International Relief Fund, or community ser- 
vices in your area. 

Habitat for Humanity (http://www.habitat.org) is a chari- 
table organization that provides homes for people who cannot 
afford to purchase their own, relying on volunteers to help 
build these homes. If you want to become a volunteer, you can 
find contact information at this web site for the chapter near 
you, and you can access a list of upcoming events that require 
volunteers in various areas. You can also use your credit card to 
make a donation to Habitat for Humanity online. 

The American Cancer Society (http://www.cancer.org) offers 
several ways for you to make a donation online. For example, you 
can use your credit card to make a donation in your own name, in 
memory of someone who has died, or in honor of a friend or fam- 
ily member who is still living. You can also arrange a planned gift, 
which enables you to make a donation through a will, a chari- 
table gift annuity, a charitable remainder trust, or a pooled in- 
come fund. You can even donate an old car, truck, or boat to the 
American Cancer Society. Proceeds from the sale of your vehicle 
will go towards cancer research and education. 

To find additional charitable organizations, check out Guide- 
star (http://www.guidestar.org). Guidestar includes hypertext links 
to the web sites of nearly 300 charitable organizations, from the 


AAA Foundation for Traffic Safety to the World Wildlife Fund. 


NETWORK RESOURCES 

Donating money is not the only way to help people in need: 
You can donate computer equipment as well. Instead of letting 
old hardware and software go to waste, you can donate these 
components to Computers for Schools (http://wwwnt.thegroup. 
net/detwiler), which distributes donated computer equipment to 
schools. At the Computers for Schools web site, you can find out 
how to donate computer equipment, and you can get information 
about the equipment needed by schools in your state. 

Even if you do not have any computer equipment you can do- 
nate, you probably have computer skills you can share. Freebytes 
(http://www.freebytes.org) needs computer professionals who can 
rehabilitate donated computer equipment, create usable computer 
systems, and place these computer systems with schools and non- 
profit organizations. 


STANDALONE GAME OF THE MONTH 

Trespasser: Jurassic Park from DreamWorks Interactive is 
based on the best-selling book Jurassic Park and on the block- 
buster movie of the same name. As the game begins, your plane 
crashes in the waters near Costa Rica. You are knocked uncon- 
scious, only to awaken on a beautiful tropical island. You soon 
discover that this island is the same one that used to house a col- 
ony of dinosaurs brought to life by a visionary scientist. When a 
freak accident occurred, the dinosaurs were allegedly destroyed. 

As you try to find your way off the island, you discover that 
there is more to the story: The dinosaurs survived the accident, 
and they are hungry! You encounter several types of dinosaurs in 
Trespasser: No game based on Jurassic Park would be complete 
without the Tyrannosaurus Rex or the Velociraptor, but the Tri- 
ceratops, Stegosaurus, and Parasaurolophus also make an appear- 
ance. Every time a dinosaur steps on the terrain, brushes against 
a building, or swings at his prey, the physical forces acting on the 
dinosaur are accurately displayed. Because these dinosaurs are 
modeled on the fly, they look incredibly realistic. 

To prevent yourself from becoming dinosaur food, you must 
use a variety of guns, such as a .38 Special and a .357 Mag- 
num, to kill the dinosaurs before they kill you. You can also 
use any aspect of the terrain, such as rocks and lengths of re- 
bar, to your advantage. And you can move in any way you 
want, just as the dinosaurs can. 

Trespasser: Jurassic Park supports Windows 98 and Windows 
95. You can purchase Trespasser: Jurassic Park through retail 
channels at the suggested retail price of U.S. $49.95. For more 
information about Trespasser: Jurassic Park, visit DreamWorks 
Interactive’s web site (http://www.dreamworksgames.com/ 
games/trespasser). You can also call 1-425-635-7134. 
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Your Source for Classic Networking Literature 


Novell’s Guide to 
Networking Hardware 


XML: A Primer 


Simon St. Laurent 
416pp 
ISBN: 592X 


Novell's CNE Update to 
NetWare 5 Study Guide 


David James Clarke, IV 
500pp ISBN: 45590 


Kevin Shafer 
1358pp ISBN: 45531 
Retail Price: $49.99 Retail Price: $24.99 Retail Price: $69.99 
Our Price: $37.49 Our Price: $18.74 = Our Price: $52.49 
This study guide covers Novell Course 529 for CNEs__‘ This book explains the features of XML (eXtensible A beginning- to intermediate-level administrator's 


© who want to update their certification. This book Markup Language), including tips on integrating guide to NetWare hardware requirements. Discuss- 
Q (®) focuses on the differences between NetWare 5 and XML with dynamic HTML, creating custom search es and describes minimum hardware requirements 
2 eae earlier versions of NetWare, including installation tools, managing documents with XML, and using Includes CD-ROM containing list of driver files, 
support modules, and adapter configuration files. 


\ and troubleshooting. (Available after December 20.) | XML for data-driven applications. 


Network Security in a 
Mixed Environment 


Dan Blacharski 
403pp ISBN: 31522 
Retail Price: $39.99 
Our Price: $29.99 


if 

Java Bible TCP/IP. TCP/IP Administration 

Administration | 
(ae tm = Craig Zacker 
630pp 
ISBN: 31581 
Retail Price: $49.99 
Our Price: $37.49 


Aaron Walsh and 
John Fronckowiak 
960pp ISBN: 80302 
Retail Price: $49.99 
Our Price: $37.49 


| 
- | 
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Creating Cool HTML 4 Building a Strategic Fea mS Novell’s GroupWise 5 HTML 4 Bible 
roupWise 5 , k 
Web Pages Extranet Users leo Peeks nalliog Bryan Pfaffenberger and 
Shawn B. Rogers and 
Dave Taylor Bryan Pfaffenberger Richard H. McTague Alexis D. Gutzman 


903pp ISBN: 32200 
Retail Price: $49.99 
Our Price: $37.49 


433pp ISBN: 32014 
Retail Price: $29.99 
Our Price: $22.49 


403pp ISBN: 31255 
Retail Price: $29.99 
Our Price: $22.49 


260pp ISBN: 45094 
Retail Price: $24.99 
Our Price: $18.74 


Novell's GroupWise 5.5 Novell’s Guide to NetWare How To 2000 Novell’s Guide to Integrating 
User's Handbook for Small Business 4.11 intraNetWare and NT 
a eocbs and Eric Harper and David L. Gardner Raytheon Systems apy tee and 

Sea aaa 408pp ISBN: 45043 656pp ISBN: 31018 andy Stevens 


263pp ISBN: 45523 
Retail Price: $24.99 
Our Price: $18.74 


529pp ISBN: 4523X 
Retail Price: $44.99 
Our Price: $33.74 


Retail Price: $49.99 
Our Price: $37.49 


Retail Price: $34.99 
| Our Price: $26.24 


Novell’s Guide to Creating 
intraNetWare Intranets 


Karanjit Siyan 


Novell’s Guide to Resolving ar 
Critical Server Issues TCP/I 


Richard Jensen and ate 


Brad W. Dayley 


Novell’s Guide to TCP/IP 
and intraNetWare 


Drew Heywood 


NDS for NT 


Jeffrey F. Hughes and 
Blair W. Thomas 


Grou 


684pp ISBN: 45507 
Retail Price: $59.99 
Our Price: $44.99 


Novell’s GroupWise 5 
Administrator's Guide 


Shawn B. Rogers and 
Richard H. McTague 
704pp ISBN: 45213 
Retail Price: $44.99 
Our Price: $33.74 


Novell’s Encyclopedia 
of Networking 


Kevin Shafer 
1,192pp ISBN: 45116 


Retail Price: $69.99 
Our Price: $48.99 off 


Novell’s Certified Web 
Designer Study Guide 


Jim Bowman 
600pp ISBN: 45485 


Retail Price: $49.99 
Our Price: $34.99 oft 


788pp ISBN: 45329 
Retail Price: $49.99 
Our Price: $37.49 


Novell’s Guide to 
BorderManager 
J.D. Marymee and 
Sandy Stevens 
350pp ISBN: 4540X 
Retail Price: $49.99 
Our Price: $37.49 


Novell’s Certified Internet 
Business Strategist 

Study Guide 

Jim Bowman 

456pp ISBN: 45493 

Retail Price: $39.99 (ig 
Our Price: $27.99 Su 


Novell’s Internet 
Plumbing Handbook 


Peter Rybaczyk 

311pp ISBN: 4537X 

Retail Price: $34.99 ap 
Our Price: $24.49 “sé 


777pp ISBN: 45310 
Retail Price: $39.99 
Our Price: $29.99 


Novell’s Guide to LAN/WAN 
Analysis: IPX/SPX 

Laura A. Chappell 

874pp ISBN: 45086 

Retail Price: $59.99 

Our Price: $44.99 


Novell’s Introduction 
to intraNetWare 

Kelley J.P. Lindberg 

416pp ISBN: 45302 

Retail Price: $39.99 Jay 
Our Price: $27.99 “Qe 


LearnKey’s intra- 


} NetWare 4.11 Bundle 
| 10 videos 


ISBN: 290692 
Retail Price: $789.00 
Our Price: $465.00 


Retail Price $59.95 Our Price $44.95 


For More Information Visit Our Web Site: 


hitp://bookstore.nweonnection.com 


*Prices are in US dollars and are subject to change. 


432pp ISBN: 45515 
Retail Price: $39.99 
Our Price: $29.99 


LearnKey’s NetWare 
» 5.0 Migration 


! Kent Erickson and 
James |Swartz 

3 videos ISBN: 290899 
Retail Price: $249.95 
Our Price: $187.46 


Novell Advanced Technical Training Videos by Novell Technical Support Services 


NetWare Connection Bookstore 
Order Form 


TO ORDER: shop online at or fax form to 1-801-465-4755 or mail to Order Entry, NetWare Connection, 
http://bookstore.nwconnection.com PO Box 19007, Provo, UT 84605-9007 
Qty. ISBN Product Lbs. Total Lbs. Retail Price Our Price Total 
(US$) (US$) 
592X XML: A Primer NEW! 2 $24.99 $18.74 
_—__~—- 31018 +~How To 2000 3 $49.99 $37.49 
_—s- 31255 Building a Strategic Extranet NEW! 2 $29.99 $22.49 
_ ~—- 31522 Network Security in a Mixed Environment NEW! 2 $39.99 $29.99 
___—- 31581 TCP/IP Administration NEW! 3} $49.99 $37.49 
___—- 32014 =“ Creating Cool HTML 4 Web Pages NEW! 3 $29.99 $22.49 
Goey 32200 HTML 4 Bible 4 $49.99 $37.49 
___ 45043 Novell’s Guide to NetWare for Small Business 4.11 3 $34.99 $26.24 
__ 45086 = Novell’s Guide to LAN/WAN Analysis: IPX/SPX 4 $59.99 $44.99 
__ ~—- 45094 = Novell’s GroupWise 5 User’s Handbook 2 $24.99 $18.74 
__ ~—- 45116 Novell's Encyclopedia of Networking d0% Off 6 $69.99 $48.99 
___~—- 45213 = Novell’s GroupWise 5 Administrator’s Guide 3 $44.99 $33.74 
____—- 4523X_— Novell’s Guide to Integrating intraNetWare and NT 3 $44.99 $33.74 
____ ~~ 45280 Novell’s Dictionary of Networking 0% Off 3 $24.99 $17.49 
__ ~~ 45302 ~=Novell’s Introduction to intraNetWare a0’ OF 3 $39.99 $27.99 
_ ~—- 45310 Novell’s Guide to Creating intraNetWare Intranets 3 $39.99 $29.99 
__ 45329“ Novell’s Guide to TCP/IP and intraNetWare 3 $49.99 $37.49 
__ ~~ 4537X_—Novell’s Internet Plumbing Handbook #0% Off 2 $34.99 $24.49 
__ ~——- 4540X_-Novell’s Guide to BorderManager 2 $49.99 $37.49 
__ 45485 Novell’s Certified Web Designer Study Guide a0% OFF 3 $49.99 $34.99 
___ 45493 Novell’s Certified Internet Business Strategist Study Guide 0% Off 3 $39.99 $27.99 
__ 45507 Novell’s Guide to Resolving Critical Server Issues 3 $59.99 $44.99 
_—s- 45515 NDS for NT 3 $39.99 $29.99 
_~—- 45523 Novell's GroupWise 5.5 User's Handbook 2 $24.99 $18.74 
__ 45531 Novell’s Guide to Networking Hardware NEW! 6 $69.99 $52.49 
__ ~~ 45590 Novell's CNE Update to NetWare 5 Study Guide NEW! 2 $49.99 $37.49 
_—- 80302 ~=—Java Bible NEW! 4 $49.99 $37.49 
290692 LearnKey’s intraNetWare 4.11 Bundle ZA $789.00 $465.00 
290899 LearnKey’s NetWare 5.0 Migration 2 $249.95 $187.46 


Total weight UPS Ground UPS 2-Day Total weight ——_—_bs. 
1-3lbs. Add $4.50 US or $11.50 US Subtotal $ 
4-6 lbs. Add $6.50 US or $13.50 US UT residents add 6.25% sales tax $ 
7-9 lbs. Add $8.50 US or $17.50 US Add shipping charges (SEE BOX TO LEFT FOR CHARGES) $ 
10-12 Ibs. Add $10.50US or $21.50 US 
13-15 lbs. Add $12.50US or $25.50 US NOTE: Upgrading to UPS 2-day does not guarantee that you will receive your order in two 
16-18 lbs. Add $14.50 US or $28.50 US days. Please allow 2-3 working days for your order to be processed and 2 days for it to 
19-30 Ibs. Add $16.50 US or $41.50 US be shipped. (Please allow up to four weeks for popular items.) 
*If you live outside the continental U.S., shipping charges vary; = 
you will be charged accordingly. Make all checks payable to NetWare Users International. 
- Personal check orders are subject to a 10-day processing period. 
Ship To: 
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Shipping Address 
City. State/Province ZIP/Postal Code 
Country Phone Fax 
Payment Info (check one): (J Visa 1 MasterCard (J American Express _) Discover 


Cardholder Name 
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Product Snapshots 


When | am looking for the latest computer games, | often find 
new and interesting products. Product Snapshots gives you a quick 
overview of the most useful products | have found during the last 
month. (Please note that these are first-look reviews.) 


AIT AUTOLOADER 

Advanced Intelligent Tape (AIT) Autoloader from Procom 
Technology Inc. is a new type of tape drive based on intelligent 
tape technologies. For example, AIT Autoloader uses intelligent 
recording and data compression technologies to provide exten- 
sive storage capacity in a small device. As a result, you can store 
up to 25 GB of raw data or 50 GB of compressed data on a sin- 
gle AIT cartridge. And because AIT Autoloader holds four AIT 
cartridges, you can take advantage of a total storage capacity 
of up to 200 GB. 

AIT Autoloader uses the Memory In Cassette (MIC) archi- 
tecture to speed up users’ access to data. When a user tries to 
access stored data, most tape drives must rewind the cartridge 
to load the directory, which points to the requested data. With 
the MIC architecture, however, a 16 KB memory chip is built 
into each AIT cartridge. This memory chip stores the directory 
so that AIT Autoloader doesn’t have to rewind AIT cartridges to 
locate data, thus eliminating the delays that often slow perform- 
ance with other tape drives. 

AIT Autoloader, which is fully compatible with most backup 
software, is available as an internal tape drive or an external 
tape drive, both of which are SCSI-2 Fast/Wide tape drives. AIT 
Autoloader is also available in a single-drive configuration or in 
a dual-drive configuration. With the dual-drive configuration, AIT 
Autoloader provides a total storage capacity of up to 400 GB. 

You can purchase AIT Autoloader through retail channels at 
the suggested retail price of U.S. $6,145 for the single-drive 
configuration or U.S. $11,085 for the dual-drive configuration. 


#3 Connection 


nology’s World-Wide Web site (http://www.procom.com). You can 
also call 1-800-800-8600 or 1-949-852-1000. | 


ENCARTA REFERENCE SUITE 99 | 

Encarta Reference Suite 99 from Microsoft Corp. is the latest 
version of Microsoft’s popular online reference set. Encarta Refer- 
ence Suite 99 includes the following components: 


° Encarta Encyclopedia Deluxe 99. Encarta Encyclopedia Deluxe 
99 includes more than 40,000 encyclopedia articles} and thou- 
sands of multimedia elements, such as video, audio, and ani- 
mation clips. Encarta Encyclopedia Deluxe 99 offers a new inter- 
face that allows you to seamlessly move between encyclopedia 
articles, original source documents, and related web sites. En- 
carta Encyclopedia Deluxe 99 also offers the Encarta Explorer 
feature, which allows you to visually browse for information, and 
the Virtual Tours feature, which allows you to tour noteworthy 
places throughout the world, such as Mount Everest. 

Encarta Virtual Globe 99. Encarta Virtual Globe 99 includes 
maps and geography articles about countries, eee and glo- 
bal issues. Because Encarta Virtual Globe 99 is organized as a 
geographic model rather than individual maps, you can view the 
world just as if you were traveling from one place to| another. 
Microsoft Bookshelf 99. Microsoft Bookshelf 99 includes on- 
line versions of nine reference books and directories, all of 
which are fully searchable. For example, you can search The 
American Heritage Dictionary, Roget’s Thesaurus, and the 
National Five-Digit ZIP and Post Office Directory. | 


Encarta Reference Suite 99 supports Windows NT 4.0, Win- 
dows 98, and Windows 95. You can purchase Encarta Reference 
Suite 99 through retail channels at the suggested retail price of 
U.S. $99.95. For more information about Encarta Reference Suite 
99, visit Microsoft’s Encarta web site (http://encarta.msn.com/ 
products/suite/default.shtm). You can also call 1-800-426-9400 


For more information about AIT Autoloader, visit Procom Tech- 


NETWORK GAME OF THE MONTH 

Age of Empires: The Rise of Rome 
from Microsoft Corp. is an add-on module 
for the popular strategy game, Age of Em- 


pires. Although most add-on modules offer 


little more than new scenarios for existing 
games, Age of Empires: The Rise of Rome 
offers new campaigns, civilizations, battle 


units, and buildings to keep you interested. 


As with Age of Empires, the objective 
of Age of Empires: The Rise of Rome is 
global domination. Specifically, Age of 
Empires: The Rise of Rome focuses on Ju- 
lius Caesar’s attempt to extend the Roman 
Empire to every corner of the world. You 
can engage in various campaigns, such as 
one that pits the Roman legions against 
those of Cleopatra, the Queen of Egypt. 

Age of Empires: The Rise of Rome 
adds the Roman, Carthaginian, Mace- 
donian, and Palmyran civilizations to 
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the 12 ancient civilizations already avail- 
able in Age of Empires. In addition, Age 
of Empires: The Rise of Rome includes 
new battle units, such as scythe chariots 
and fire galleys, and new buildings, such 
as the Roman Colosseum. 

You can play Age of Empires: The 
Rise of Rome against the computer or 
against one other person over a modem 
connection. You can also play Age of 
Empires: The Rise of Rome with up to 
seven other people over a network or 
Internet connection. If you visit Micro- 
soft’s Internet Gaming Zone (http:// 
www.zone.com), you can also play Age 
of Empires: The Rise of Rome free with 
tens or even hundreds of people. 

Age of Empires: The Rise of Rome 
supports Windows NT 4.0, Windows 98, 
and Windows 95. You can purchase Age 
of Empires: The Rise of Rome through 


or 1-425-882-8080. o 


retail channels at the suggested retail 
price of U.S. $20, and you can download 
a trial version of the game from http:// 
www.microsoft.com/games/aoeexpansion/ 
msdd_aoex.asp. (Because Age of Empires: 
The Rise of Rome is an add-on module, 
you must also purchase Age of Empires if 
you have not done so already. Age of Em- 
pires is available through retail channels at 
the suggested retail price of U.S. $34.95. 
You can download a trial version from 
http://www.microsoft.com/msdownload/ 
games/empires/download.htm.) 

For more information about Age of 
Empires: The Rise of Rome, visit Micro- 
soft’s web site (http:/Avww.microsoft.com/ 
games/aoeexpansion). You can also call 
1-800-426-9400 or 1-425-882-8080. 

Matthew Jones works for Waterstone 
Consulting in Chicago, Illinois. You can reach 
him at matthew@netfire.com. @ 
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ADVERTISING AREAS 


Deliver your message to the major players in 
the networking industry—network administrators, 
IS managers, network consultants, and systems 
integrators. Advertise in NetWare Connection! 


Contact one of our sales managers today: 


tee 
AREA 1 ee 
Kaye Young (California) Tel: 1-949-551-4924 7 fTLY 


Fax: 1-949-551-9614 
AREA 2 : m™ 
Brian Smith (Utah) Tel: 1-801-465-4901 a 
Fax: 1-801-465-4755 ira fe nat 

AREA 


Steve Branda Tel: 1-201-599-0050 F Get, 


(New Jersey) Fax: 1-201-599-0070 


ON THE WEB, NO ONE KNOWS HOW SMALL YOUR COMPANY IS. Netfinity 3000. Build a reliable 
network that runs Windows NT®or other operating systems. Start doing business on the Web. Your choice of Lotus® Domino” or Lotus 
Domino Intranet Starter Pack” 90-day IBM Start Up Support and a 3-year limited warranty are included. And with SystemXtra you 
can get a hardware, software, services and financing package. Visit www.ibm.com/netfinity or call 1 800 IBM 7255, ext. 4761. 


Pentium® II processor up to 350 MHz / Up to 384MB ECC SDRAM memory / 100 MHz bus speed / From $1,769* 


‘@) business tools 


For more information, visit http://advertise.nwconnection.com. 


